Arbitrary Parentheses-less XSS

In the past years, an interesting XSS vector was put on a table by some researchers, and that is Parentheses-less XSS.

It’s not a mystery that there are known payloads that will execute arbitrary XSS with limited charsets. One of the simplest payloads out there is


which with adequate, will redirect to ‘javascript:alert()’ URL and execute arbitrary XSS stored in the window’s name.



Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store