Host

Testing

Created byIDKdir

Created Jul 15, 2024

Updated May 27, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

if (new URL('https://www.example.com/$[chr]evil.com').host=='evil.com') {0x0D
    log('"https://www.example.com/$[chr]evil.com" -> "evil.com"')0x0D
}0x0D
0x0D
if (new URL('https://www.example.com$[chr]evil.com').host=='evil.com') {0x0D
    log('"https://www.example.com$[chr]evil.com" -> "evil.com"')0x0D
}

Sample payloads

if (new URL('https://www.example.com/0x00evil.com').host=='evil.com') {0x0D
    alert('"https://www.example.com/0x00evil.com" -> "evil.com"')0x0D
}0x0D
0x0D
if (new URL('https://www.example.com0x00evil.com').host=='evil.com') {0x0D
    alert('"https://www.example.com0x00evil.com" -> "evil.com"')0x0D
}

Host

Testing

Created byIDKdir

Created Jul 15, 2024

Updated May 27, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

if (new URL('https://www.example.com/$[chr]evil.com').host=='evil.com') {0x0D
    log('"https://www.example.com/$[chr]evil.com" -> "evil.com"')0x0D
}0x0D
0x0D
if (new URL('https://www.example.com$[chr]evil.com').host=='evil.com') {0x0D
    log('"https://www.example.com$[chr]evil.com" -> "evil.com"')0x0D
}

Sample payloads

if (new URL('https://www.example.com/0x00evil.com').host=='evil.com') {0x0D
    alert('"https://www.example.com/0x00evil.com" -> "evil.com"')0x0D
}0x0D
0x0D
if (new URL('https://www.example.com0x00evil.com').host=='evil.com') {0x0D
    alert('"https://www.example.com0x00evil.com" -> "evil.com"')0x0D
}

Host

Sample payloads

Fuzz results

Host

Sample payloads

Fuzz results

Distributed Fuzzing

Host

Sample payloads

Fuzz results

Host

Sample payloads

Fuzz results