Shazzer User Guide

What is Shazzer?

Shazzer is a shared online fuzzing platform for browser behavior testing. It enables security researchers to create, share, and run fuzz tests across different browsers to discover parsing quirks, JavaScript syntax variations, and potential security issues.

Whether you're researching XSS bypasses, exploring HTML parsing differences between browsers, or testing JavaScript edge cases, Shazzer provides the tools and infrastructure to systematically test thousands of character combinations across multiple browsers simultaneously.

Key Features

Distributed Fuzzing Network

Shazzer's distributed fuzzing network allows you to run your fuzz tests across real browsers connected from around the world. Instead of testing only in your local browser, your vectors can be executed on Chrome, Firefox, Safari, and Microsoft Edge simultaneously.

• Real-time browser connections - Connected browsers receive and execute fuzzing tasks automatically
• Multi-browser results - Compare how different browsers handle the same fuzzing template
• Network dashboard - View connected browsers, their versions, and current activity in real-time
• Automatic task distribution - Vectors needing results are automatically dispatched to available browsers

Visit the Network page to see connected browsers and monitor fuzzing activity. You can also contribute your own browser to the network to help run tests.

Teams

Teams allow you to collaborate with other researchers on shared fuzzing projects. Each team gets its own private fuzzing network and shared vector collection.

• Team networks - Each team has a dedicated fuzzing network isolated from the public network
• Shared vectors - Assign your vectors to teams so all members can view and run them
• Member management - Invite collaborators and manage team membership
• Private collaboration - Work on sensitive research without exposing vectors publicly

Community Features

Shazzer includes social features to help you discover and share research:

• Follow researchers - Follow other users to stay updated on their vectors
• Like vectors - Save interesting vectors to your liked collection
• Notifications - Get notified about activity related to your vectors and follows
• Categories - Browse vectors organized by topic (HTML Parsing, JavaScript Syntax, XSS Execution, etc.)

MCP API Integration

Shazzer provides API access for programmatic fuzzing through MCP (Model Context Protocol). This allows integration with tools like Claude Desktop and Claude Code CLI.

• Query fuzz results - Search and retrieve fuzzing results programmatically
• Create vectors - Submit new vectors via API
• Trigger fuzzing - Execute fuzzing tasks on the distributed network
• Execute templates - Run ad-hoc fuzzing templates without creating permanent vectors

Generate API keys from your Profile page to get started with the API.

Creating Vectors

Shazzer offers three fuzz types: HTML, JS, and XSS. The concept involves creating a vector and testing it using the test button on the new vector screen. It operates by executing a comprehensive loop with the template and replacing any placeholders.

Placeholders

Placeholders allow users to substitute text in their template with generated characters in a loop. Currently, Shazzer supports many placeholders:

This placeholder logs the number of the current iteration of the loop and is commonly used in JS and XSS vector types.

This placeholder also logs the number of the current iteration of the loop.

This placeholder generates a character based on the current iteration number.

When this special tag is detected, Shazzer will log the result.

HTML Vectors

To create an HTML vector, select HTML from the dropdown menu. The testing options will be tailored to the HTML vector type. A special tag, "<found>", triggers Shazzer to log the result when detected. If you wish to test if characters within a style attribute were successful, you can utilize the style attribute and set the color property to "red". Shazzer will log the result upon detecting the color red.

Example using <found>:

Example using style:

JS Vectors

JS vectors also incorporate a loop, where you should employ the log($[i]) placeholder to log the result. For instance, if you aim to identify which characters are permissible before parentheses in a function call:
log$[chr]($[i])

XSS Vectors

XSS vectors resemble JS vectors but additionally permit HTML usage. You should utilize the same placeholders as you would for JS, but apply XSS vectors to determine if characters are logged. Here's an example XSS vector:
<img src $[chr]onerror=log($[i])>

The onerror attribute will trigger when the characters preceding it are ignored.

List of all placeholders

• $[i] - This placeholder produces the current iteration number
• $[j] - This placeholder produces the current iteration number from the second loop
• $[chr] - This placeholder produces the current character
• $[data1] - This placeholder produces the data specified in the first dropdown
• $[data2] - This placeholder produces the data specified in the second dropdown
• <found> - This placeholder causes a log when the tag is found
• <notfound> - This placeholder causes a log when the tag is not found
• log($[i]) - This placeholder causes the log function to execute with the current iteration number
• log('$[data1]') - This placeholder causes the log function to execute with data in the first dropdown
• log('$[data2]') - This placeholder causes the log function to execute with data in the second dropdown
• urlenc($[chr]) - This placeholder produces the character from the current iteration and url encodes it
• html($[chr]) - This placeholder produces the character from the current iteration and HTML encodes it
• json($[chr]) - This placeholder produces the character from the current iteration and unicode escapes it
• urlenc($[data1]) - This placeholder produces data in the first dropdown and url encodes it
• html($[data1]) - This placeholder produces data in the first dropdown and HTML encodes it
• json($[data1]) - This placeholder produces data in the first dropdown and unicode escapes it
• urlenc($[data2]) - This placeholder produces data in the second dropdown and url encodes it
• html($[data2]) - This placeholder produces data in the second dropdown and HTML encodes it
• json($[data2]) - This placeholder produces data in the second dropdown and unicode escapes it
• $[bytes:deadbeef] - This placeholder allows you to insert bytes
• $[unicode:U+10FFFF] - This placeholder allows you to insert a unicode character

Custom Data Arrays

In addition to character-based fuzzing, you can create custom data arrays to test specific values like HTML tags, event handlers, or attribute names. Create data arrays from your profile and reference them in vectors using:

• $[data1] - First data array
• $[data2] - Second data array

This is useful for testing which HTML elements support certain attributes, or which event handlers are valid in specific contexts.

Comparing Browser Differences

The Differences page shows vectors where browsers behave differently. This is invaluable for finding browser-specific parsing quirks that could lead to security bypasses. For example, a character that's ignored in Chrome but significant in Firefox could be used to craft browser-specific payloads.

Tools

Shazzer provides additional tools to aid your research:

• Unicode Table - Browse and search Unicode characters, useful for identifying characters to test
• Cheat Sheet - Quick reference for XSS payloads and techniques

Tips for Effective Fuzzing

• Start with a small code point range to test your vector logic before running full fuzzes
• Use descriptive names and descriptions for your vectors so others can understand and benefit from your research
• Check the Differences page to see which of your vectors reveal interesting browser variations
• Contribute your browser to the network to help the community and earn fuzzing results on your own vectors
• Use private vectors for sensitive research, then make them public once published