Security

XSS Payload without Anything

What is XSS Payload without Anything?

When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.

https://github.com/hahwul/XSS-Payload-without-Anything

Let’s collect a lot of thoughts and solve our problems.

Concept

It is similar to “Payload all the things” in terms of collecting the payload, but I want to provide a list of payloads with special tag (without char, used char, other..) I plan to make it easy to search and to show what characters (or what they are made of) are unusable.

format

without char: ()``,``'

1
2
3
4
5
6

XSS Payload

// usedchar: 
// author: 
// description:

without char (Frequently filtered characters)

I have selected special characters that are often blocked.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

( ) 
{ } 
, 
"
'
`
[ ]
\ 
/ 
; 
+ 
. 
=

Usage

on Github.com

  1. Ctrl + F >
  2. find your problem char
  3. XSS

on hahwul.com comming soon
https://github.com/hahwul/XSS-Payload-without-Anything

Submit XSS Payloads

Add issue form & label

XSS Payload: WithOut: Description:

or

Pull Request

or

Tweet with @hahwul

Conclusion

There is likely to be a meaningful result when accumulated. I look forward to your involvement. plz join me!

Licensed under CC BY-NC-SA 4.0
Last updated on Jul 10, 2021 01:05 +0900
© 2022 HAHWUL