Entities that cause an external URL before @
4
4
4
4This vector shows what entities cause an external URL when used before an @
Created by: hackvertor
Created on: Wednesday, September 25, 2024 at 7:57:28 AM
Updated on: Wednesday, May 28, 2025 at 5:06:19 PM
Detecting browser...
Category: Entity Parsing
Vector visibility: Public
Vector type: XSS
Vector charset: UTF-8
Vector data 1: html_entities
Code used before fuzz:
const div = document.createElement('div');Template used:
div.innerHTML=`<a href="https://psres.net$[data1]@example.com" id=x>test</a>`;Code used after fuzz:
if(x.host !== 'example.com') {0x0D
log('$[data1]');0x0D
}Sample payloads
div.innerHTML=`<a href="https://psres.net\@example.com" id=x>test</a>`;div.innerHTML=`<a href="https://psres.net#@example.com" id=x>test</a>`;div.innerHTML=`<a href="https://psres.net?@example.com" id=x>test</a>`;div.innerHTML=`<a href="https://psres.net/@example.com" id=x>test</a>`;Fuzz results
Chrome 144.0.0.0 desktop macOS 10.15.7
Updated
Fri Jan 30 2026
Found 4 results
Loading...
Chrome 141.0.0.0 desktop Windows NT 10.0older version
Updated
Tue Oct 07 2025
Found 4 results
Loading...
Firefox 147.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 4 results
Loading...
Firefox 139.0 desktop macOS 10.15older version
Updated
Wed Jun 11 2025
Found 4 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated
Fri Jan 30 2026
Found 4 results
Loading...
Safari 18.5 desktop macOS 10.15.7
Updated
Wed Jun 11 2025
Found 4 results
Loading...