Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 174 vectors with results
This vector shows what characters are allowed after the void operator: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/void
This vector shows what characters are allowed after the void operator: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/void
This vector shows what characters are allowed after the void operator: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/void
This vector shows what characters are allowed after the void operator: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/void
This vector shows what characters are allowed after the void operator: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/void
JavaScript allows you to conditionally call a function using optional chaining.
JavaScript allows you to conditionally call a function using optional chaining.
JavaScript allows you to conditionally call a function using optional chaining.
JavaScript allows you to conditionally call a function using optional chaining.
JavaScript allows you to conditionally call a function using optional chaining.
<style>0x0D
0x09div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.
<style>0x0D
div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.
<style>0x0D
0x0Cdiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.
<style>0x0D
0x0Ddiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.
<style>0x0D
div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.
var myVar = "foo"0x0D
alert(34)0x0D
// a";0x0D
Characters allowed to end a Javascript string followed by a new line.
alert(new URL("http0x00javascript:alert()").protocol)Vector to check if any character can be used to ignore https scheme in URL
<a href="0x01javascript:" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before the JavaScript protocol. It uses a base tag to get round the sandboxed iframe problems.
<a href="0x02javascript:" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before the JavaScript protocol. It uses a base tag to get round the sandboxed iframe problems.
<a href="0x03javascript:" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before the JavaScript protocol. It uses a base tag to get round the sandboxed iframe problems.
<a href="0x04javascript:" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before the JavaScript protocol. It uses a base tag to get round the sandboxed iframe problems.
<a href="0x05javascript:" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before the JavaScript protocol. It uses a base tag to get round the sandboxed iframe problems.
if (new URL("javascript"+String.fromCodePoint(parseInt(9..toString(16),16))+":alert()").protocol=="javascript:"){alert(9)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
if (new URL("javascript"+String.fromCodePoint(parseInt(10..toString(16),16))+":alert()").protocol=="javascript:"){alert(10)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
if (new URL("javascript"+String.fromCodePoint(parseInt(13..toString(16),16))+":alert()").protocol=="javascript:"){alert(13)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
if (new URL("javascript"+String.fromCodePoint(parseInt(58..toString(16),16))+":alert()").protocol=="javascript:"){alert(58)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
let chr = String.fromCodePoint(9);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(9)This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826
let chr = String.fromCodePoint(10);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(10)This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826
let chr = String.fromCodePoint(13);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(13)This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826
let chr = String.fromCodePoint(43);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(43)This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826
let chr = String.fromCodePoint(45);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(45)This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826
<a href="0x01javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
<a href="0x02javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
<a href="0x03javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
<a href="0x04javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
<a href="0x05javascript:test.com/" id="test"></a>Characters that can precede the javascript protocol in html
--><!---><script>alert(45)</script>--><!-->><script>alert(62)</script>This vector shows Unicode characters that have a decomposition of 2 or more ASCII characters, which get normalized by the browser. These characters are valid for use as domain names, expanding short strings into longer ones through decomposition.
if (new URL("https://google.com0x090x09/endpoint").host=="google.com"){alert(9)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com##/endpoint").host=="google.com"){alert(35)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com///endpoint").host=="google.com"){alert(47)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com??/endpoint").host=="google.com"){alert(63)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com\\/endpoint").host=="google.com"){alert(92)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
Characters that can be after the opening angle bracket and still form a valid HTML element
Characters that can be used to end unencapsulated HTML attribute values.
Characters that can be used to end unencapsulated HTML attribute values.
Characters that can be used to end unencapsulated HTML attribute values.
if (new URL("https://example.com" + String.fromCodePoint(9) + "/").hostname === 'example.com'){alert(9)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(10) + "/").hostname === 'example.com'){alert(10)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(13) + "/").hostname === 'example.com'){alert(13)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(35) + "/").hostname === 'example.com'){alert(35)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(47) + "/").hostname === 'example.com'){alert(47)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
(new URL("https:" + String.fromCodePoint(0) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint(0) + "example.com").origin === new URL("https://example.com").origin) && alert(0 + " >> " + String.fromCodePoint(0))0x0D
0x0D
Characters that cause URL() to treat the provided url as a relative url when a base is used, and as an absolute url when no base is used. Based on the writeup: https://blog.vitorfalcao.com/posts/intigriti-0525-writeup/#checks-vs-usage-a-subtle-difference
if (new URL("https://example" + String.fromCharCode(i) + "com").host == "example.com") alert(i)