HTML tags that can clobber the credentials part of the URL

This vector shows which which html tags can clobber the credentials part of the URL, based on: https://portswigger.net/research/concealing-payloads-in-url-credentials

Created by: 0x999-x

Created on: Monday, November 4, 2024 at 8:01:37 AM

Updated on: Wednesday, April 23, 2025 at 3:37:04 PM

Vector type: XSS

Vector charset: UTF-8

Vector data 1: html

Vector data 2: attributes

Template used:
<$[data1] id="xx" $[data2]="https://x:x@x.com">

Code used after fuzz:
if(xx.username==="x"){log('$[data1]:$[data2]')}

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a:href id="xx" ="https://x:x@x.com"><area:href id="xx" ="https://x:x@x.com">

Fuzz results

Chrome 130.0.0.0 desktop Windows NT 10.0

Updated

Mon Nov 04 2024

Found 2 results

Show differences only?

Filter out alphanumeric

Sort ascending