Characters allowed in path traversal
5
5
5Check which characters are allowed inside a path traversal and the URL still traverses
Created by: joaxcar
Created on: Monday, August 26, 2024 at 8:20:34 PM
Updated on: Tuesday, May 27, 2025 at 8:15:10 AM
Category: URL Handling
Vector visibility: Public
Vector type: JS
Vector charset: UTF-8
Template used:
new URL("https://x.se/long/..$[chr]/a").pathname.length > 4 ? false : log($[i])Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
new URL("https://x.se/long/.. /a").pathname.length > 4 ? false : alert(9)new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : alert(35)new URL("https://x.se/long/..//a").pathname.length > 4 ? false : alert(47)new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : alert(63)new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : alert(92)Fuzz results
Safari 17.4.1 desktop macOS 10.15.7
Updated
Mon Aug 26 2024
Found 5 results
Loading...
Firefox 143.0 desktop macOS 10.15
Updated
Mon Sep 22 2025
Found 5 results
Loading...
Chrome 141.0.0.0 desktop macOS 10.15.7
Updated
Wed Oct 29 2025
Found 5 results
Loading...
Chrome 142.0.0.0 desktop Linux Unknown
Updated
Sat Nov 08 2025
Found 5 results
Loading...