Shazzer User Guide
What is Shazzer?
Shazzer is a shared online fuzzing platform for browser behavior testing. It enables security researchers to create, share, and run fuzz tests across different browsers to discover parsing quirks, JavaScript syntax variations, and potential security issues.
Whether you're researching XSS bypasses, exploring HTML parsing differences between browsers, or testing JavaScript edge cases, Shazzer provides the tools and infrastructure to systematically test thousands of character combinations across multiple browsers simultaneously.
Key Features
Distributed Fuzzing Network
Shazzer's distributed fuzzing network allows you to run your fuzz tests across real browsers connected from around the world. Instead of testing only in your local browser, your vectors can be executed on Chrome, Firefox, Safari, and Microsoft Edge simultaneously.
- Real-time browser connections - Connected browsers receive and execute fuzzing tasks automatically
- Multi-browser results - Compare how different browsers handle the same fuzzing template
- Network dashboard - View connected browsers, their versions, and current activity in real-time
- Automatic task distribution - Vectors needing results are automatically dispatched to available browsers
Visit the Network page to see connected browsers and monitor fuzzing activity. You can also contribute your own browser to the network to help run tests.
Teams
Teams allow you to collaborate with other researchers on shared fuzzing projects. Each team gets its own private fuzzing network and shared vector collection.
- Team networks - Each team has a dedicated fuzzing network isolated from the public network
- Shared vectors - Assign your vectors to teams so all members can view and run them
- Member management - Invite collaborators and manage team membership
- Private collaboration - Work on sensitive research without exposing vectors publicly
Community Features
Shazzer includes social features to help you discover and share research:
- Follow researchers - Follow other users to stay updated on their vectors
- Like vectors - Save interesting vectors to your liked collection
- Notifications - Get notified about activity related to your vectors and follows
- Categories - Browse vectors organized by topic (HTML Parsing, JavaScript Syntax, XSS Execution, etc.)
MCP API Integration
Shazzer provides API access for programmatic fuzzing through MCP (Model Context Protocol). This allows integration with tools like Claude Desktop and Claude Code CLI.
- Query fuzz results - Search and retrieve fuzzing results programmatically
- Create vectors - Submit new vectors via API
- Trigger fuzzing - Execute fuzzing tasks on the distributed network
- Execute templates - Run ad-hoc fuzzing templates without creating permanent vectors
Generate API keys from your Profile page to get started with the API.
Creating Vectors
Shazzer offers five vector types. Three are character-fuzzing types — HTML, JS, and XSS— which create a vector and test it using the test button on the new vector screen. They operate by executing a comprehensive loop with the template and replacing any placeholders.
The other two — Performance and Feature— work differently: rather than looping over a range of characters, they run a snippet once per browser and record a measurement. Performance vectors record how long code takes to run; feature vectors record whether a capability is supported. Both are collated across browsers on the Stats page.
Placeholders
Placeholders allow users to substitute text in their template with generated characters in a loop. Currently, Shazzer supports many placeholders:
log($[i])This placeholder logs the number of the current iteration of the loop and is commonly used in JS and XSS vector types.
$[i]This placeholder also logs the number of the current iteration of the loop.
$[chr]This placeholder generates a character based on the current iteration number.
<found>When this special tag is detected, Shazzer will log the result.
HTML Vectors
To create an HTML vector, select HTML from the dropdown menu. The testing options will be tailored to the HTML vector type. A special tag, "<found>", triggers Shazzer to log the result when detected. If you wish to test if characters within a style attribute were successful, you can utilize the style attribute and set the color property to "red". Shazzer will log the result upon detecting the color red.
Example using <found>:
<!----$[chr]><found>Example using style:
<div style="/**$[chr]color:red;">test</div>JS Vectors
JS vectors also incorporate a loop, where you should employ the log($[i]) placeholder to log the result. For instance, if you aim to identify which characters are permissible before parentheses in a function call:log$[chr]($[i])
XSS Vectors
XSS vectors resemble JS vectors but additionally permit HTML usage. You should utilize the same placeholders as you would for JS, but apply XSS vectors to determine if characters are logged. Here's an example XSS vector:<img src $[chr]onerror=log($[i])>
The onerror attribute will trigger when the characters preceding it are ignored.
URL Fuzzing
URL fuzzing uses CSP (Content Security Policy) violation events to determine if a fuzz was successful. When a resource URL is allowed by the browser, a CSP violation is triggered against a restrictive policy, which Shazzer uses to detect and log successful results.
For example, to find which characters are allowed before the src attribute:
<img $[chr]src=https://fuzz.shazzer.co.uk/$[rand]?$[i]>The URL fuzzing button on the vector add/edit page allows you to configure different fuzzing URLs. Each URL uses a different placeholder to identify which iteration or data value triggered the result:
https://fuzz.shazzer.co.uk/$[rand]?$[i]- Logs the iteration numberhttps://fuzz.shazzer.co.uk/$[rand]?$[j]- Logs the second loop iteration numberhttps://fuzz.shazzer.co.uk/$[rand]?$[data1]- Logs the value from the first data arrayhttps://fuzz.shazzer.co.uk/$[rand]?$[data2]- Logs the value from the second data array
Performance Vectors
Performance vectors benchmark JavaScript across browsers so you can see how fast a piece of code runs in Chrome, Firefox, Safari, and Microsoft Edge. Select Performance from the type dropdown. Unlike the fuzzing types, there are no $[chr]/$[i]placeholders — the snippet is run once per browser and timed.
- Snippet A (the vector field) is the code to benchmark, e.g.
s.startsWith("hello"). - Snippet B(optional) lets you compare two approaches. Provide it to run an A/B comparison — e.g.
startsWithvs a regular expression — or leave it empty to simply time a single function. - Shared setup (initCode, under Advanced Options) declares variables both snippets can use, e.g.
var s = "hello world";. You can also setvar iterations = 2000000;here to control how many times each snippet runs per trial.
Each browser warms the code up, then runs several timed trials and reports the median time (in milliseconds, so lower is faster). When both snippets are present, the faster one is highlighted per browser. Because a browser can always pick whichever snippet is faster, the cross-browser ranking uses each browser's best time — so a browser can rank first via Snippet B even if it's slower at Snippet A. Results are aggregated on the Stats → Performance page, which shows which browser is fastest for each operation, an overall win tally, and a normalized performance index.
Feature Vectors
Feature vectors detect whether a browser supports a given capability. Select Feature from the type dropdown and provide a detection snippet that evaluates to a truthy value when the feature is supported. Like performance vectors, the snippet runs once per browser (no placeholder loop).
Example detection snippets:
CSS.supports("selector(:has(a))")— the CSS:has()selectortypeof [].at === "function"—Array.prototype.at()typeof structuredClone === "function"— the globalstructuredClone()
Each browser records a simple supported / not-supported result (a thrown error counts as not supported). Results are aggregated on the Stats → Features page, which shows a support matrix, which browser supports the most features, features supported by only one browser, and features no browser supports.
List of all placeholders
- $[i] - This placeholder produces the current iteration number
- $[j] - This placeholder produces the current iteration number from the second loop
- $[chr] - This placeholder produces the current character
- $[rand] - This placeholder inserts a random string
- $[hex2] - This placeholder inserts a hex string with a length of 2
- $[hex4] - This placeholder inserts a hex string with a length of 4
- $[data1] - This placeholder produces the data specified in the first dropdown
- $[data2] - This placeholder produces the data specified in the second dropdown
- <found> - This placeholder causes a log when the tag is found
- <notfound> - This placeholder causes a log when the tag is not found
- log($[i]) - This placeholder causes the log function to execute with the current iteration number
- log('$[data1]') - This placeholder causes the log function to execute with data in the first dropdown
- log('$[data2]') - This placeholder causes the log function to execute with data in the second dropdown
- urlenc($[chr]) - This placeholder produces the character from the current iteration and url encodes it
- html($[chr]) - This placeholder produces the character from the current iteration and HTML encodes it
- json($[chr]) - This placeholder produces the character from the current iteration and unicode escapes it
- urlenc($[data1]) - This placeholder produces data in the first dropdown and url encodes it
- html($[data1]) - This placeholder produces data in the first dropdown and HTML encodes it
- json($[data1]) - This placeholder produces data in the first dropdown and unicode escapes it
- urlenc($[data2]) - This placeholder produces data in the second dropdown and url encodes it
- html($[data2]) - This placeholder produces data in the second dropdown and HTML encodes it
- json($[data2]) - This placeholder produces data in the second dropdown and unicode escapes it
- $[bytes:deadbeef] - This placeholder allows you to insert bytes
- $[unicode:U+10FFFF] - This placeholder allows you to insert a unicode character
Custom Data Arrays
In addition to character-based fuzzing, you can create custom data arrays to test specific values like HTML tags, event handlers, or attribute names. Create data arrays data section and reference them in vectors using:
$[data1]- First data array$[data2]- Second data array
This is useful for testing which HTML elements support certain attributes, or which event handlers are valid in specific contexts.
Comparing Browser Differences
The Differencespage shows vectors where browsers behave differently. This is invaluable for finding browser-specific parsing quirks that could lead to security bypasses. For example, a character that's ignored in Chrome but significant in Firefox could be used to craft browser-specific payloads.
Tools
Shazzer provides additional tools to aid your research:
- Unicode Table - Browse and search Unicode characters, useful for identifying characters to test
- Cheat Sheet - Quick reference for XSS payloads and techniques
Tips for Effective Fuzzing
- Start with a small code point range to test your vector logic before running full fuzzes
- Use descriptive names and descriptions for your vectors so others can understand and benefit from your research
- Check the Differences page to see which of your vectors reveal interesting browser variations
- Contribute your browser to the network to help the community and earn fuzzing results on your own vectors
- Use private vectors for sensitive research, then make them public once published