Characters allowed before CSS selectors

This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.

Created by: hackvertor

Created on: Monday, July 15, 2024 at 7:35:19 PM

Updated on: Tuesday, August 27, 2024 at 4:44:17 PM

Vector type: XSS

Template used:

<style>
$[chr]div{color:red;}
</style>
<div id=x>test</div>

Code used after fuzz:
window.getComputedStyle(x).color === 'rgb(255, 0, 0)' && log($[i])

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<style>
	div{color:red;}
</style>
<div id=x>test</div>

<style>

div{color:red;}
</style>
<div id=x>test</div>

<style>
div{color:red;}
</style>
<div id=x>test</div>

<style>

div{color:red;}
</style>
<div id=x>test</div>

<style>
 div{color:red;}
</style>
<div id=x>test</div>

Fuzz results

Chrome 126.0.0.0 desktop macOS 10.15.7

Found 5 results

Show differences only?

Dec	Hex	Chr
9	09	HT

Dec	Hex	Chr
10	0a	LF

Dec	Hex	Chr
12	0c	FF

Dec	Hex	Chr
13	0d	CR

Dec	Hex	Chr
32	20	SPACE

Safari 17.4 desktop macOS 10.15.7

Found 5 results

Show differences only?

Dec	Hex	Chr
9	09	HT

Dec	Hex	Chr
10	0a	LF

Dec	Hex	Chr
12	0c	FF

Dec	Hex	Chr
13	0d	CR

Dec	Hex	Chr
32	20	SPACE