Fuzz Vectors

Searching for "JavaScript"

Your browser identified as

General Crawlers unknown

All vectors

Description	Vector	Created by
Characters before javascript uri parsed	<a href="unijavascript:alert(1)" id="fuzzelementnum">test</a>	@freddyb
Characters that eat JavaScript regex escapes	<script> var regexChars = /chr\$/g if(!("chr$".match(regexChars))) { logChr(num) } </script>	@tifkin_
Characters that modify JavaScript regex character classes	<script> var regexChars = /[chr.]/g if(!(".".match(regexChars))) { logChr(num) } <script>	@tifkin_
Characters ignored in Javascript function call with unicode 2	<script>l\chru006fg(num)</script>	@garethheyes
Characters ignored in Javascript function call with unicode	<script>l\u006fchrg(num)</script>	@garethheyes
JavaScript characters that swallow the next character	<script>a='asdfchr\';logChr(num)//asdf'</script>	@tifkin_
Characters that separate JavaScript object key and value	<script> var obj = {"foo"chr"bar"}; logChr(num) </script>	@peksa
JavaScript operators that separate objects and scopes	<script> var v = {}chr{"string in blockscope"} logChr(num) </script>	@peksa
JavaScript operators that evaluate argument in variable assignment	<script> var v = {}chrlogChr(num) </script>	@peksa
Things that break from URIs javascript comments	<a href="javascript://chrlogChr(num)">aaa</a>	@0xAli
HTML input image tag attributes that run JavaScript	<input datahtmlattributes="customLog('datahtmlattributes')" type="image" src="about:blank">	@peksa
HTML input tag attributes that run JavaScript	<input datahtmlattributes="customLog('datahtmlattributes')" type="text">	@peksa
Characters that start JavaScript double quote strings	<script> chr"; logChr(num) </script>	@peksa
Characters that escape JavaScript single line comments	<script> // hmm chrlogChr(num) </script>	@peksa
Ignored characters in javascript protocol uris	<script> var a = document.createElement('a'); a.href = "java\uhex4script:alert()"; if (a.href === "javascript:alert()") { logChr(num); } </script>	@peksa
Characters that separate JavaScript assignment statements	<script> var a={}chrb={}&logChr(num); </script>	@Giutro
Characters that allow a new statement to begin2	<script> var a={}chrb=logChr(num); </script>	@tifkin_
Characters that allow a new statement to begin	<script> var a={}chrlogChr(num); </script>	@tifkin_
Characters that can be used to terminate entities in an href	<a href="javascript&colonchrlog(num)" id="fuzzelementnum">test</a>	@tifkin_
Characters that make a double quote valid	<script> chr"; logChr(num); </script>	@tifkin_
Characters allowed after domain	<a href="http://google.comchrbreakme" id="fuzzelementnum">test</a>	@avlidienbrunn
Characters allowed before http	<a href="http://chrgoogle.com" id="fuzzelementnum">test</a>	@avlidienbrunn
Characters allowed to hex encodings of javascript variables	<script> lo\uchr0067Chr(num); </script>	@tifkin_
Characters allowed to hex encode javascript	<script> lo\chr0067Chr(num); </script>	@tifkin_
Protocols before Javascript to run code by using Flash navigateURL	<script> setTimeout("if(document.getElementById('myframedataprotocols').contentWindow.document.location.hash.substring(1)) customLog('dataprotocols');",1000) </script> <iframe id="myframedataprotocols" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=dataprotocolsjavascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe>	@irsdl
Characters not encoded with encodeURIComponent	<script> chr=String.fromCharCode(num); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(num); } </script>	@garethheyes
Characters not encoded with encodeURI	<script> chr=String.fromCharCode(num); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(num); } </script>	@garethheyes
Characters after javascript uri	<a href="javascriptchr:alert(1)" id="fuzzelementnum">test</a>	@insertScript
Characters before javascript uri	<a href="chrjavascript:alert(1)" id="fuzzelementnum">test</a>	@insertScript
JS Property check middle character	<img src=xx:xx onerror=window[['logchrChr']](num)>	@garethheyes
JS Property check ending character	<img src=xx:xx onerror=window[['logChrchr']](num)>	@garethheyes
Characters allowed before slashes no protocol	<a href="chr//google.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed inside slashes no protocol	<a href="/chr/google.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed instead of slash 2	<a href="http:chrchrgoogle.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed instead of slash	<a href="http:chrgoogle.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed after slash	<a href="http:/chr/google.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed inside http	<a href="htchrtp://google.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed instead of forward slash in url	<a href="chrchrgoogle.com" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed instead of colon in js url	<a href="javascriptchralert(1)" id="fuzzelementnum">test</a>	@garethheyes
Entities allowed instead of colon for js protocol	htmlStr = '<a href="javascript'+dataentities+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(dataentities); } }catch(e){};	@peksa
Entities allowed after js protocol	htmlStr = '<a href="javascript'+dataentities+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(dataentities); } }catch(e){};	@garethheyes
Entities allowed before js protocol	htmlStr = '<a href="'+dataentities+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(dataentities); } }catch(e){};	@garethheyes
Determine what character can be at the end of the javascript but before the colon	<!-- sample vector --> <img src=xx:xx chronerror=logChr(num)> <a href=javascriptchr:alert(num)>num</a>	@MisterJyu
Characters to end script tag via JavaScript regex 002	<script>log(num,1</scriptchr//)</script>	@0x6D6172696F
Characters to end script tag via JavaScript regex 001	<script>log(num,1</scriptchr/)</script>	@0x6D6172696F
Iframe contentDocument properties	<iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script>	@garethheyes
Iframe contentWindow properties	<iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script>	@garethheyes
Characters eating backslash in javascript string 2	<script>if("x\chr".length==2) { log(num);}</script>	@mhswende
Characters eating backslash in javascript string	<script>if("x\chr".length==1) { log(num);}</script>	@mhswende
Characters ignored inside javascript string v2	<script>if("xchrx" == "xx") { log(num);}</script>	@mhswende
Characters ignored in html event handler name	<img src=x onchrError="javascript:log(num)"/>	@mhswende
Characters ignored in Javascript function call	"`'><script>lochrg(num)</script>	@mhswende
Uncode sequences generating illegitimate ASCII	<script> "\ud83d\uhex4".match(/.<./) ? log(num) : null; </script>	@0x6D6172696F
Characters allowed after ampersand in named character references	<a href="javascript&chrcolon;log(num)" id="fuzzelementnum">test</a>	@_cweb
Characters consuming backslashes and breaking JS strings	<script>a='abc\chr\';log(num)//def';</script>	@0x6D6172696F
Events in tags with src or href that execute javascript	<datahtmlelements data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank dataevents="customLog('datahtmlelements dataevents')"></datahtmlelements>	@garethheyes
Tags and events that execute javascript 2	<datahtmlelements dataevents="javascript:parent.customLog('datahtmlelements dataevents')"></datahtmlelements>	@garethheyes
Tags and events that execute javascript	<datahtmlelements datahtmlattributes="javascript:parent.customLog('datahtmlelements datahtmlattributes')"></datahtmlelements>	@garethheyes
Does this browser support e4x	<script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script>	@garethheyes
Characters escaping JS comment delimiters 001	<script>/* *chr/log(num)// */</script>	@0x6D6172696F
Characters breaking CSS strings allowing expression	"'`>ABC<div style="font-family:'foochr;x:expression(log(num));/*';">DEF	@0x6D6172696F
Characters ending CSS values allowing expressions	"'`>ABC<div style="font-family:'foo'chrx:expression(log(num));/*';">DEF	@0x6D6172696F
Characters breaking JavaScript Regex delimiter	"'`><script>a=/hello;chr;i=0;log(num);a/i;</script>	@0x6D6172696F
Characters before paren in Javascript call	"'`><script>logchr(num)</script>	@garethheyes
Characters in between protocol in js url	<a href="javaschrcript:alert(1)" id="fuzzelementnum">test</a>	@garethheyes
Characters that close JS Comments	'"`><script>/* *chrlog(num)// */</script>	@garethheyes
Characters allowed before protocol in js url	<a href="chrjavascript:alert(1)" id="fuzzelementnum">test</a>	@garethheyes
Characters allowed before colon in js url	<a href="javascriptchr:alert(1)" id="fuzzelementnum">test</a>	@garethheyes
NULL Characters inside JavaScript properties	`'"><script>window['logchr'](num)</script>	@garethheyes
Characters allowed before a JavaScript function	"`'><script>chrlog(num)</script>	@garethheyes