XSS technique without parentheses

This is a very old technique I discovered years ago which I used to bypass a filter and it's pretty awesome. It might come in handy to bypass a WAF or filter since it's not public until now. First you need to understand (which you probably do) that the window object is the default object in JavaScript and every time you execute code it's like you've run a with statement on the window if your not more specific. So stuff like onload is really window.onload and so on lets see if you can guess what comes next....

So in JavaScript we have a onerror handler which is also on the window object, this means if we assign a function to onerror we can call it by generating a JavaScript error! How do we generate a JavaScript error? Throw is a nice way, this means throw can pass an argument to a function you can create some pretty awesome crazy looking JavaScript.

onerror=alert;throw 1;

This works on every browser <del datetime="2012-05-07T10:18:19+00:00">apart from Firefox</del> *, Safari and IE will just call the function with the argument but Chrome and Opera add uncaught to the argument. This is no big deal though since we can just modify it slightly and use a different object as an argument such as a string.

onerror=eval;throw'=alert\x281\x29';

Thought I'd post this before this technique gets lost forever and I forget about it pretty awesome XSS eh? :)

• Does actually work in Firefox. My site was disabling the error handling.