HTML tags that can clobber the credentials part of the URL


This vector shows which which html tags can clobber the credentials part of the URL, based on: https://portswigger.net/research/concealing-payloads-in-url-credentials
Created by: 0x999-x
Created on: Monday, November 4, 2024 at 8:01:37 AM
Updated on: Wednesday, May 28, 2025 at 5:06:18 PM
Vector type: XSS
Vector charset: UTF-8
Vector data 1: html
Vector data 2: attributes
Template used:
<$[data1] id="xx" $[data2]="https://x:x@x.com">
Code used after fuzz:
if(xx.username==="x"){log('$[data1]:$[data2]')}
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
<a:href id="xx" ="https://x:x@x.com">
<area:href id="xx" ="https://x:x@x.com">
Fuzz results

Chrome 130.0.0.0 desktop Windows NT 10.0
Updated
Mon Nov 04 2024
Found 2 results
Loading...

Firefox 138.0 desktop macOS 10.15
Updated
Tue May 27 2025
Found 2 results
Loading...