Characters allowed before CSS selectors
⚠ Browser differences
5
1
5
5This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.
Created byhackvertor
Created Jul 15, 2024
Updated May 28, 2025
Detecting browser...
CategoryCSS Parsing
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<style>0x0D
$[chr]div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
Code used after fuzz:
window.getComputedStyle(x).color === 'rgb(255, 0, 0)' && log($[i])Sample payloads
<style>0x0D
0x00div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
0x09div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
0x0Cdiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
0x0Ddiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated
Fri Jan 30 2026
Found 5 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated
Fri Jan 30 2026
Found 5 results
Loading...
Chrome 139.0.0.0 desktop Linux Unknownolder version
Updated
Wed Sep 24 2025
Found 5 results
Loading...
Firefox 147.0 desktop Windows NT 10.0
Updated
Mon Jan 26 2026
Found 1 result
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated
Mon Jan 26 2026
Found 5 results
Loading...
Safari 17.4 desktop macOS 10.15.7
Updated
Mon Jul 15 2024
Found 5 results
Loading...