Characters allowed in path traversal
5
5
5Check which characters are allowed inside a path traversal and the URL still traverses
Created by: joaxcar
Created on: Monday, August 26, 2024 at 8:20:34 PM
Updated on: Tuesday, May 27, 2025 at 8:15:10 AM
Category: URL Handling
Vector visibility: Public
Vector type: JS
Vector charset: UTF-8
Template used:
new URL("https://x.se/long/..$[chr]/a").pathname.length > 4 ? false : log($[i])Detecting browser...
Sample payloads
new URL("https://x.se/long/..0x09/a").pathname.length > 4 ? false : alert(9)new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : alert(35)new URL("https://x.se/long/..//a").pathname.length > 4 ? false : alert(47)new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : alert(63)new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : alert(92)Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 5 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated
Sat Jan 31 2026
Found 5 results
Loading...
Chrome 142.0.0.0 desktop Linux Unknownolder version
Updated
Sat Nov 08 2025
Found 5 results
Loading...
Firefox 143.0 desktop macOS 10.15
Updated
Mon Sep 22 2025
Found 5 results
Loading...
Safari 17.4.1 desktop macOS 10.15.7
Updated
Mon Aug 26 2024
Found 5 results
Loading...