Non-standard characters that break JSON.parse()

Chrome logo 29

Characters that will break a JSON.parse() that do not include chars within standard JSON-format.

Created by: DreyAnd

Created on: Friday, November 15, 2024 at 12:28:16 AM

Updated on: Monday, December 30, 2024 at 10:43:49 AM

Vector type: JS

Vector charset: UTF-8

Template used:
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint($[i]))) { 
        JSON.parse(`{"test":"$[chr]"}`);
    }
} catch {
    log($[i]);
}
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(0))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(0);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(1))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(1);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(2))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(2);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(3))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(3);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(4))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(4);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(5))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(5);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(6))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(6);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(7))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(7);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(8))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(8);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(11))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(11);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(12))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(12);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(14))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(14);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(15))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(15);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(16))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(16);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(17))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(17);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(18))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(18);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(19))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(19);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(20))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(20);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(21))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(21);
}
try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(22))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(22);
}

Fuzz results

Chrome logo
Chrome 127.0.0.0 desktop Linux Unknown

Updated

Fri Nov 15 2024
Found 29 results
Loading...