Enumerating...

Characters not urlencoded when using the credentials part of the URL

⚠ Browser differences

This vector shows which characters are not encoded in the credentials part of the URL.

Created May 28, 2024

Updated May 27, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Code used before fuzz:

const anchor = document.createElement('a');

Template used:

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint($[i]);0x0D
if(!/%/.test(anchor+''))log($[i])

Sample payloads

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(33);0x0D
if(!/%/.test(anchor+''))alert(33)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(36);0x0D
if(!/%/.test(anchor+''))alert(36)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(38);0x0D
if(!/%/.test(anchor+''))alert(38)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(39);0x0D
if(!/%/.test(anchor+''))alert(39)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(40);0x0D
if(!/%/.test(anchor+''))alert(40)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(41);0x0D
if(!/%/.test(anchor+''))alert(41)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(42);0x0D
if(!/%/.test(anchor+''))alert(42)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(43);0x0D
if(!/%/.test(anchor+''))alert(43)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(44);0x0D
if(!/%/.test(anchor+''))alert(44)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(45);0x0D
if(!/%/.test(anchor+''))alert(45)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(46);0x0D
if(!/%/.test(anchor+''))alert(46)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(48);0x0D
if(!/%/.test(anchor+''))alert(48)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(49);0x0D
if(!/%/.test(anchor+''))alert(49)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(50);0x0D
if(!/%/.test(anchor+''))alert(50)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(51);0x0D
if(!/%/.test(anchor+''))alert(51)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(52);0x0D
if(!/%/.test(anchor+''))alert(52)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(53);0x0D
if(!/%/.test(anchor+''))alert(53)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(54);0x0D
if(!/%/.test(anchor+''))alert(54)

anchor.href='//example.com';0x0D
anchor.username = String.fromCodePoint(55);0x0D
if(!/%/.test(anchor+''))alert(55)