Shazzer - Shared online fuzzing

- Home
- Blog
  - Blog home
  - RSS
- Login
- Vectors
- Unicode table
- Help
- Home
- Blog
  - Blog home
  - RSS
- Login
- Vectors
- Unicode table
- Help

Shazzer
Shared online fuzzer

Fuzzing browsers since 2012

Made by Gareth Heyes
Follow me on Twitter: @garethheyes

If you liked this, you may also like Hackvertor, The Spanner

New users

forglockenspielexact BigColaXD mpaujan21 Th3k33n efpi-bot caueobici brenocss Y3RmKHgp sebunya Trusthoodies Crunchy000 hyojin-214 ctzty UzunDz honoki leakimm Polar-Tang SquareMetaFront H3NGO1U alecmaly

Popular users

hackvertor (34)renniepak (7)albinowax (5)joaxcar (5)0x999-x (4)masatokinugawa (3)d0ge (2)JorianWoltjer (2)freddyb (1)hansmach1ne (1)ThomasOrlita (1)DreyAnd (1)jonathann403 (1)securaji (1)InsertScript (1)B-i-t-K (1)koto (1)K4r1it0 (1)sqjor (1)weizman (1)

Recently updated vectors

URL domain dot alternatives Characters that close or encapsulate HTML attribute values ISO-2022-JP ASCII escape sequence Characters that starts element name Scheme slash alternatives in URL() when a base is used Url parsing diff b/w anchor.href and new URL Characters allowed before host name that are ignored Characters allowed as a tag name using DOM APIs Characters encoded by encodeURIComponent()Characters encoded by encodeURI()Characters encoded by escape()encodeURI() not encoded with %

New vectors

encodeURI() not encoded with %Characters encoded by escape()Characters encoded by encodeURI()Characters encoded by encodeURIComponent()Characters before custom tag Injection in src attribute PORT, characters that change hostname Characters appended at the end of PORT within URL, which yield a different HOST Characters allowed as a tag name using DOM APIs Characters allowed before host name that are ignored Url parsing diff b/w anchor.href and new URL Scheme slash alternatives in URL() when a base is used Characters that end unencapsulated HTML attribute values Unicode characters with a decomposition of 2+ ASCII characters and are registerable domains Characters allowed in the protocol that still resolve host name Chars that can be used as opening bracket in innerHTML Fuzzing for Max sanitized input (simplified)CSS inline property definition Characters that starts element name Escape inline double quote Characters allowed before the JavaScript protocol colon

Most popular

URL domain dot alternatives (4.7k)DOM element relationships (4.2k)Characters allowed between hostname and / but don't change the hostname (4.2k)Characters between < and element name (4.1k)JavaScript Scheme starting with https:// (4k)Characters that can precede the javascript protocol (3.8k)Characters allowed javascript and colon (3.7k)< removal bypass (3.6k)Characters allowed javascript and colon copy2 (3.6k)characters allowed between exclamation mark and greater then (3.1k)Characters that close or encapsulate HTML attribute values (3k)Entities that cause an external URL before @ (2.9k)HTML entities that create ASCII characters inside a JavaScript URL (2.8k)Character that closes HTML tag (2.7k)Includes Validation Chars Allowed (2.5k)XSS vectors that consume tag (2.4k)Characters allowed between multiple HTML attributes (2.3k)Characters allowed after hostname but don't change the hostname (2.3k)Tags that get reordered in the DOM (2.3k)All properties on navigator (two levels of nesting deep) (2.1k)

Most liked

URL domain dot alternatives (5)Entities that cause an external URL before @ (4)HTML entities that create ASCII characters inside a JavaScript URL (4)JavaScript Scheme starting with https:// (4)Characters allowed between hostname and / but don't change the hostname (4)Characters that cause an external URL before @ (3)Characters allowed javascript and colon (3)Characters that can precede the javascript protocol (3)Characters allowed after hostname but don't change the hostname (2)Characters that cause exceptions when URL encoded (2)Characters allowed between multiple HTML attributes (2)Properties that contain URLs (2)Unicode characters that get normalized into path traversal characters (2)Characters that can start an HTML comment (2)HTML elements that are self closing or different text content (2)Characters appended at the end of TLD within URL, which yield in the same Origin (2)Characters allowed in-between operators (2)Characters that can be used as valid labels in JavaScript (2)Characters allowed after optional chaining (2)All events on window (1)