Havocing...

Characters allowed before CSS selectors

This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.

Created byhackvertor

Created Jul 15, 2024

Updated May 28, 2025

Detecting browser...

CategoryCSS Parsing

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<style>0x0D
$[chr]div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

Code used after fuzz:

window.getComputedStyle(x).color === 'rgb(255, 0, 0)' && log($[i])

Sample payloads

<style>0x0D
0x09div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

<style>0x0D

div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

<style>0x0D
0x0Cdiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

<style>0x0D
0x0Ddiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

<style>0x0D
 div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D