Characters that can be inserted in the middle of the JS protocol name
3
3
3
3/
Created bycold-try
Created Apr 15, 2024
Updated May 11, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<a id="0" href="j$[chr]avas$[chr]crip$[chr]t:window">craft-me</a>Code used after fuzz:
if (document.getElementById("0").protocol === "javascript:") { log($[i]) }Sample payloads
<a id="0" href="j0x09avas0x09crip0x09t:window">craft-me</a><a id="0" href="j
avas
crip
t:window">craft-me</a><a id="0" href="j0x0Davas0x0Dcrip0x0Dt:window">craft-me</a>Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 3 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated
Mon Jan 26 2026
Found 3 results
Loading...
Chrome 123.0.0.0 Unknown Unknownolder version
Updated
Mon Apr 15 2024
Found 3 results
Loading...
Firefox 147.0 desktop Linux
Updated
Sun Feb 01 2026
Found 3 results
Loading...
Firefox 143.0 desktop Windows NT 10.0older version
Updated
Sat Oct 04 2025
Found 3 results
Loading...
Firefox 124.0 Unknown Unknownolder version
Updated
Mon Apr 15 2024
Found 3 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 3 results
Loading...
Safari 15.5 Unknown Unknown
Updated
Mon Apr 15 2024
Found 3 results
Loading...