XSS Payload without Anything

What is XSS Payload without Anything?

When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.


Let’s collect a lot of thoughts and solve our problems.


It is similar to “Payload all the things” in terms of collecting the payload, but I want to provide a list of payloads with special tag (without char, used char, other..) I plan to make it easy to search and to show what characters (or what they are made of) are unusable.


without char: (),'

XSS Payload

// usedchar: 
// author: 
// description:

without char (Frequently filtered characters)

I have selected special characters that are often blocked.

( ) 
{ } 
[ ]


on Github.com 1) Ctrl + F > 2) find your problem char 3) XSS

on hahwul.com comming soon


Submit XSS Payloads

Add issue form & label

XSS Payload: WithOut: Description:


Pull Request


Tweet with @hahwul


There is likely to be a meaningful result when accumulated. I look forward to your involvement. plz join me!