Characters unencoded characters supported in the hash

This vector shows which unencoded characters are allowed in the hash

Created by: hackvertor

Created on: Tuesday, September 24, 2024 at 12:33:51 PM

Updated on: Tuesday, May 27, 2025 at 3:37:04 PM

Category: URL Handling

Vector visibility: Public

Vector type: JS

Vector charset: UTF-8

Code used before fuzz:
const anchor = document.createElement('a');

Template used:

anchor.href='//example.com';
let chr = String.fromCodePoint($[i]);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))log($[i])

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

anchor.href='//example.com';
let chr = String.fromCodePoint(33);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(33)

anchor.href='//example.com';
let chr = String.fromCodePoint(36);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(36)

anchor.href='//example.com';
let chr = String.fromCodePoint(37);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(37)

anchor.href='//example.com';
let chr = String.fromCodePoint(38);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(38)

anchor.href='//example.com';
let chr = String.fromCodePoint(39);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(39)

anchor.href='//example.com';
let chr = String.fromCodePoint(40);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(40)

anchor.href='//example.com';
let chr = String.fromCodePoint(41);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(41)

anchor.href='//example.com';
let chr = String.fromCodePoint(42);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(42)

anchor.href='//example.com';
let chr = String.fromCodePoint(43);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(43)

anchor.href='//example.com';
let chr = String.fromCodePoint(44);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(44)

anchor.href='//example.com';
let chr = String.fromCodePoint(45);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(45)

anchor.href='//example.com';
let chr = String.fromCodePoint(46);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(46)

anchor.href='//example.com';
let chr = String.fromCodePoint(47);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(47)

anchor.href='//example.com';
let chr = String.fromCodePoint(48);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(48)

anchor.href='//example.com';
let chr = String.fromCodePoint(49);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(49)

anchor.href='//example.com';
let chr = String.fromCodePoint(50);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(50)

anchor.href='//example.com';
let chr = String.fromCodePoint(51);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(51)

anchor.href='//example.com';
let chr = String.fromCodePoint(52);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(52)

anchor.href='//example.com';
let chr = String.fromCodePoint(53);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(53)

anchor.href='//example.com';
let chr = String.fromCodePoint(54);
anchor.hash = chr;
if(anchor.hash.slice(1).includes(chr))alert(54)

Chrome 129.0.0.0 desktop macOS 10.15.7

Updated

Tue Sep 24 2024

Found 89 results

Show differences only?

Filter out alphanumeric

Sort ascending

Firefox 130.0 desktop macOS 10.15

Updated

Tue Sep 24 2024

Found 89 results

Show differences only?

Filter out alphanumeric

Sort ascending

Safari 18.0 desktop macOS 10.15.7

Updated

Tue Sep 24 2024

Found 89 results

Show differences only?

Filter out alphanumeric

Sort ascending