HTML tags that can clobber the credentials part of the URL
2
2
2This vector shows which which html tags can clobber the credentials part of the URL, based on: https://portswigger.net/research/concealing-payloads-in-url-credentials
Created by0x999-x
Created Nov 4, 2024
Updated May 28, 2025
Detecting browser...
CategoryDOM Behavior
VisibilityPublic
TypeXSS
CharsetUTF-8
$[data1] placeholderhtml
$[data2] placeholderattributes
Template used:
<$[data1] id="xx" $[data2]="https://x:x@x.com">Code used after fuzz:
if(xx.username==="x"){log('$[data1]:$[data2]')}Sample payloads
<a:href id="xx" ="https://x:x@x.com"><area:href id="xx" ="https://x:x@x.com">Fuzz results
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 2 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated28 Jan 2026
Found 2 results
Loading...
Firefox 147.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 2 results
Loading...
Firefox 138.0 desktop macOS 10.15older version
Updated27 May 2025
Found 2 results
Loading...
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 2 results
Loading...