Arbitrary Parentheses-less XSS

In the past years, an interesting XSS vector was put on a table by some researchers, and that is Parentheses-less XSS.

It’s not a mystery that there are known payloads that will execute arbitrary XSS with limited charsets. One of the simplest payloads out there is

location=name

which with adequate window.name, will redirect to ‘javascript:alert()’ URL and execute arbitrary XSS stored in the window’s name.

--

--

Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store