Host

Testing

Created by: IDKdir

Created on: Monday, July 15, 2024 at 2:36:45 AM

Updated on: Tuesday, May 27, 2025 at 8:15:32 AM

Category: URL Handling

Vector visibility: Public

Vector type: JS

Vector charset: UTF-8

Template used:

if (new URL('https://www.example.com/$[chr]evil.com').host=='evil.com') {0x0D
    log('"https://www.example.com/$[chr]evil.com" -> "evil.com"')0x0D
}0x0D
0x0D
if (new URL('https://www.example.com$[chr]evil.com').host=='evil.com') {0x0D
    log('"https://www.example.com$[chr]evil.com" -> "evil.com"')0x0D
}

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

if (new URL('https://www.example.com/0x00evil.com').host=='evil.com') {0x0D
    alert('"https://www.example.com/0x00evil.com" -> "evil.com"')0x0D
}0x0D
0x0D
if (new URL('https://www.example.com0x00evil.com').host=='evil.com') {0x0D
    alert('"https://www.example.com0x00evil.com" -> "evil.com"')0x0D
}

Fuzz results

Chrome 144.0.0.0 desktop Windows NT 10.0

Updated

Sun Jan 25 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending

Host

Sample payloads

Fuzz results

Distributed Fuzzing