Featured vector

Chrome 0.0
<a href="/0x5cgoogle.com" id="fuzzelement1">asdf</a> <script> if(document.getElementById('fuzzelement1').hostname=="google.com") { alert(1); } </script>

Fuzz vector cloud

5,453,920 Successful fuzzes

Fuzz Vectors

Searching for "Script"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
Characters that eat JavaScript regex escapes <script> var regexChars = /*chr*\$/g if(!("*chr*$".match(regexChars))) { logChr(*num*) } </script> @tifkin_
Characters that modify JavaScript regex character classes <script> var regexChars = /[*chr*.]/g if(!(".".match(regexChars))) { logChr(*num*) } <script> @tifkin_
Characters ignored in Javascript function call with unicode 2 <script>l\*chr*u006fg(*num*)</script> @garethheyes
Characters ignored in Javascript function call with unicode <script>l\u006f*chr*g(*num*)</script> @garethheyes
Characters that end script tags <script*chr*test>logChr(*num*)</script> @JohnathanKuskos
Characters that separate JavaScript object key and value <script> var obj = {"foo"*chr*"bar"}; logChr(*num*) </script> @peksa
Characters that start JavaScript double quote strings <script> *chr*"; logChr(*num*) </script> @peksa
script var separator <script> var a = "olol123*chr* <logChr(*num*)// </script> @i_bo0om
Characters that separate JavaScript assignment statements <script> var a={}*chr*b={}&logChr(*num*); </script> @Giutro
Characters that allow a new statement to begin2 <script> var a={}*chr*b=logChr(*num*); </script> @tifkin_
Characters that allow a new statement to begin <script> var a={}*chr*logChr(*num*); </script> @tifkin_
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Characters to break VBScript comments <script language="vbscript"> '*chr*log(*num*)' </script> @0x6D6172696F
Characters that make a double quote valid <script> *chr*"; logChr(*num*); </script> @tifkin_
Characters allowed after domain <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed before http <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed to hex encodings of javascript variables <script> lo\u*chr*0067Chr(*num*); </script> @tifkin_
Characters allowed to hex encode javascript <script> lo\*chr*0067Chr(*num*); </script> @tifkin_
Characters allowed before script tag name <*chr*script> logChr(*num*) </script> @tifkin_
Characters not encoded with encodeURIComponent <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
Characters not encoded with encodeURI <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
SVG script <svg><script*chr*>logChr(*num*)</script></svg> @garethheyes
JS Property check middle character <img src=xx:xx onerror=window[['log*chr*Chr']](*num*)> @garethheyes
JS Property check ending character <img src=xx:xx onerror=window[['logChr*chr*']](*num*)> @garethheyes
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed as vbscript variables <img src=x:xx onerror="try {execScript('*chr*=1','vbs');log(*num*);}catch(e){}"> @garethheyes
Replacement for s in script tag <*chr*cript>logChr(*num*)</script> @blubbfiction
Characters inside script tag name <scr*chr*ipt>logChr(*num*)</script> @blubbfiction
Entities allowed instead of colon for js protocol htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @peksa
Entities allowed after js protocol htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before js protocol htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Character allowed after the slash for end script tag <script>alert(logChr(*num*))</*chr*script> @MisterJyu
Character allowed before the slash for end script tag <script>alert(logChr(*num*))<*chr*/script> @MisterJyu
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Characters that are spaces <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that are new lines <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
Iframe contentDocument properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Iframe contentWindow properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Characters eating backslash in javascript string 2 <script>if("x\*chr*".length==2) { log(*num*);}</script> @mhswende
Characters eating backslash in javascript string <script>if("x\*chr*".length==1) { log(*num*);}</script> @mhswende
Characters ignored inside javascript string v2 <script>if("x*chr*x" == "xx") { log(*num*);}</script> @mhswende
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters ignored in Javascript function call "`'><script>lo*chr*g(*num*)</script> @mhswende
Uncode sequences generating illegitimate ASCII <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> @0x6D6172696F
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters consuming backslashes and breaking JS strings <script>a='abc\*chr*\';log(*num*)//def';</script> @0x6D6172696F
Does this browser support e4x <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> @garethheyes
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Characters in script inside XML elements 004 "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Character between lt and slash in closing tag <script>log(*num*)<*chr*/script> @shafigullin
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 001 <script src="data:text/plain,lo*chr*g(*num*)"></script> @0x6D6172696F
Characters before paren in Javascript call "'`><script>log*chr*(*num*)</script> @garethheyes
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters that close JS Comments '"`><script>/* **chr*log(*num*)// */</script> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
NULL Characters inside JavaScript properties `'"><script>window['log*chr*'](*num*)</script> @garethheyes
Characters allowed before a JavaScript function "`'><script>*chr*log(*num*)</script> @garethheyes