Characters allowed in path traversal
5
5
5
5Check which characters are allowed inside a path traversal and the URL still traverses
Created byjoaxcar
Created Aug 26, 2024
Updated May 27, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
new URL("https://x.se/long/..$[chr]/a").pathname.length > 4 ? false : log($[i])Sample payloads
new URL("https://x.se/long/..0x09/a").pathname.length > 4 ? false : alert(9)new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : alert(35)new URL("https://x.se/long/..//a").pathname.length > 4 ? false : alert(47)new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : alert(63)new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : alert(92)Fuzz results
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated17 Feb 2026
Found 5 results
Loading...
Chrome 144.0.0.0 desktop macOS 10.15.7older version
Updated17 Feb 2026
Found 5 results
Loading...
Chrome 142.0.0.0 desktop Linux Unknownolder version
Updated8 Nov 2025
Found 5 results
Loading...
Firefox 148.0 desktop Windows NT 10.0
Updated23 Feb 2026
Found 5 results
Loading...
Firefox 147.0 desktop Linuxolder version
Updated1 Feb 2026
Found 5 results
Loading...
Firefox 143.0 desktop macOS 10.15older version
Updated22 Sept 2025
Found 5 results
Loading...
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 5 results
Loading...
Safari 17.4.1 desktop macOS 10.15.7
Updated26 Aug 2024
Found 5 results
Loading...