Characters that can work as attribute seperator
This vector shows which characters can be used instead of the normal space to work as an attribute seperator
Created by: Sudistark
Created on: Saturday, August 17, 2024 at 4:51:50 AM
Updated on: Thursday, September 12, 2024 at 4:59:42 PM
Vector type: JS
Template used:
var markup = `<a$[chr]id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
log($[i])
}
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
var markup = `<a id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
alert(9)
}
var markup = `<a
id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
alert(10)
}
var markup = `<a
id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
alert(12)
}
var markup = `<a
id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
alert(13)
}
var markup = `<a id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
alert(32)
}
var markup = `<a/id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
alert(47)
}
Fuzz results
Chrome 127.0.0.0 desktop Windows NT 10.0
Found 6 results
| Dec | Hex | Chr |
|---|---|---|
| 9 | 09 | HT |
| Dec | Hex | Chr |
|---|---|---|
| 10 | 0a | LF |
| Dec | Hex | Chr |
|---|---|---|
| 12 | 0c | FF |
| Dec | Hex | Chr |
|---|---|---|
| 13 | 0d | CR |
| Dec | Hex | Chr |
|---|---|---|
| 32 | 20 | SPACE |
| Dec | Hex | Chr |
|---|---|---|
| 47 | 2f | / |