Shazzer User Guide
How to Use Shazzer
Shazzer offers three fuzz types: HTML, JS, and XSS. The concept involves creating a vector and testing it using the test button on the new vector screen. It operates by executing a comprehensive loop with the template and replacing any placeholders.
Placeholders
Placeholders allow users to substitute text in their template with generated characters in a loop. Currently, Shazzer supports four placeholders:
log($[i])
This placeholder logs the number of the current iteration of the loop and is commonly used in JS and XSS vector types.
$[i]
This placeholder also logs the number of the current iteration of the loop.
$[chr]
This placeholder generates a character based on the current iteration number.
<found>
When this special tag is detected, Shazzer will log the result.
HTML Vectors
To create an HTML vector, select HTML from the dropdown menu. The testing options will be tailored to the HTML vector type. A special tag, "<found>", triggers Shazzer to log the result when detected. If you wish to test if characters within a style attribute were successful, you can utilize the style attribute and set the color property to "red". Shazzer will log the result upon detecting the color red.
Example using <found>:
<!----$[chr]><found>
Example using style:
<div style="/**$[chr]color:red;">test</div>
JS Vectors
JS vectors also incorporate a loop, where you should employ the log($[i])
placeholder to log the result. For instance, if you aim to identify which characters are permissible before parentheses in a function call:log$[chr]($[i])
XSS Vectors
XSS vectors resemble JS vectors but additionally permit HTML usage. You should utilize the same placeholders as you would for JS, but apply XSS vectors to determine if characters are logged. Here's an example XSS vector:<img src $[chr]onerror=log($[i])>
The onerror
attribute will trigger when the characters preceding it are ignored.
List of all placeholders
- $[i] - This placeholder produces the current iteration number
- $[j] - This placeholder produces the current iteration number from the second loop
- $[chr] - This placeholder produces the current character
- $[data1] - This placeholder produces the data specified in the first dropdown
- $[data2] - This placeholder produces the data specified in the second dropdown
- <found> - This placeholder causes a log when the tag is found
- <notfound> - This placeholder causes a log when the tag is not found
- log($[i]) - This placeholder causes the log function to execute with the current iteration number
- log('$[data1]') - This placeholder causes the log function to execute with data in the first dropdown
- log('$[data2]') - This placeholder causes the log function to execute with data in the second dropdown
- urlenc($[chr]) - This placeholder produces the character from the current iteration and url encodes it
- html($[chr]) - This placeholder produces the character from the current iteration and HTML encodes it
- json($[chr]) - This placeholder produces the character from the current iteration and unicode escapes it
- urlenc($[data1]) - This placeholder produces data in the first dropdown and url encodes it
- html($[data1]) - This placeholder produces data in the first dropdown and HTML encodes it
- json($[data1]) - This placeholder produces data in the first dropdown and unicode escapes it
- urlenc($[data2]) - This placeholder produces data in the second dropdown and url encodes it
- html($[data2]) - This placeholder produces data in the second dropdown and HTML encodes it
- json($[data2]) - This placeholder produces data in the second dropdown and unicode escapes it
- $[bytes:deadbeef] - This placeholder allows you to insert bytes
- $[unicode:U+10FFFF] - This placeholder allows you to insert a unicode character