EN

XSS Payload without Anything

What is XSS Payload without Anything?

When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.

https://github.com/hahwul/XSS-Payload-without-Anything

Let’s collect a lot of thoughts and solve our problems.

Concept

It is similar to “Payload all the things” in terms of collecting the payload, but I want to provide a list of payloads with special tag (without char, used char, other..) I plan to make it easy to search and to show what characters (or what they are made of) are unusable.

format

without char: ()``,``'

XSS Payload

// usedchar:
// author:
// description:

without char (Frequently filtered characters)

I have selected special characters that are often blocked.

( )
{ }
,
"
'
`
[ ]
\
/
;
+
.
=

Usage

on Github.com

  1. Ctrl + F >
  2. find your problem char
  3. XSS

on hahwul.com comming soon
https://github.com/hahwul/XSS-Payload-without-Anything

Submit XSS Payloads

Add issue form & label

XSS Payload: WithOut: Description:

or

Pull Request

or

Tweet with @hahwul

Conclusion

There is likely to be a meaningful result when accumulated. I look forward to your involvement. plz join me!

#sec