Characters allowed before CSS selectors
⚠ Browser differences
5
1
5
5This shows how to use Shazzer to fuzz CSS syntax. This vector uses an inline style and div to set the colour. JavaScript is executed directly after each fuzz to check getComputedStyle to see if the div is red.
Created byhackvertor
Created Jul 15, 2024
Updated May 28, 2025
Detecting browser...
CategoryCSS Parsing
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<style>0x0D
$[chr]div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
Code used after fuzz:
window.getComputedStyle(x).color === 'rgb(255, 0, 0)' && log($[i])Sample payloads
<style>0x0D
0x09div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
0x0Cdiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
0x0Ddiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
<style>0x0D
div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D
Fuzz results
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 5 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated30 Jan 2026
Found 5 results
Loading...
Chrome 139.0.0.0 desktop Linux Unknownolder version
Updated24 Sept 2025
Found 5 results
Loading...
Firefox 148.0 desktop Windows NT 10.0
Updated23 Feb 2026
Found 1 result
Loading...
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated17 Feb 2026
Found 5 results
Loading...
Safari 17.4 desktop macOS 10.15.7
Updated15 Jul 2024
Found 5 results
Loading...