Aug 9, 2020

8 min read

Arbitrary Parentheses-less XSS

against strict CSP policies

In the past years, an interesting XSS vector was put on a table by some researchers, and that is Parentheses-less XSS.

It’s not a mystery that there are known payloads that will execute arbitrary XSS with limited charsets. One of the simplest payloads out there is

location=name

which with adequate window.name, will redirect to ‘javascript:alert()’ URL and execute arbitrary XSS stored in the window’s name.

More from terjanq

Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

in

Bene Studio

Social login with React Native

Writing cleaner and safer JavaScript with Sum Types

Converting to Asynchronous Code Using IIFE

in

Circuit Slimes Devlog

Devlog — Week 3

How to Integrate File Upload using Multer with Node.js and Express JS

Regular Functions and Arrow Functions in this keyword

Interview Questions (BlogPost_404)

in

Level Up Coding

The Complete Guide to Immutability in TypeScript

About Help Terms Privacy

Get the Medium app

terjanq

terjanq

Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

More from Medium

Login function module: User Authentication .

Writeup: CSRF where token is duplicated in cookie @ PortSwigger Academy

Insecure Direct Object References (IDOR)

Mutation XSS

Help
Status
Writers
Blog
Careers
Privacy
Terms
About
Knowable