HTML tags that can clobber the credentials part of the URL

This vector shows which which html tags can clobber the credentials part of the URL, based on: https://portswigger.net/research/concealing-payloads-in-url-credentials

Fuzzer

Created by0x999-x

Created Nov 4, 2024

Updated May 28, 2025

Detecting browser...

CategoryDOM Behavior

VisibilityPublic

TypeXSS

CharsetUTF-8

$[data1] placeholderhtml

$[data2] placeholderattributes

Template used:

<$[data1] id="xx" $[data2]="https://x:x@x.com">

Code used after fuzz:

if(xx.username==="x"){log('$[data1]:$[data2]')}

Sample payloads

<a:href id="xx" ="https://x:x@x.com">

<area:href id="xx" ="https://x:x@x.com">

Distributed Fuzzing

HTML tags that can clobber the credentials part of the URL

Sample payloads

Fuzz results