Wrangling...

Non-standard characters that break JSON.parse()

Characters that will break a JSON.parse() that do not include chars within standard JSON-format.

Created byDreyAnd

Created Nov 15, 2024

Updated May 27, 2025

Detecting browser...

CategoryXSS Execution

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint($[i]))) { 0x0D
        JSON.parse(`{"test":"$[chr]"}`);0x0D
    }0x0D
} catch {0x0D
    log($[i]);0x0D
}0x0D

Sample payloads

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(0))) { 0x0D
        JSON.parse(`{"test":"0x00"}`);0x0D
    }0x0D
} catch {0x0D
    alert(0);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(1))) { 0x0D
        JSON.parse(`{"test":"0x01"}`);0x0D
    }0x0D
} catch {0x0D
    alert(1);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(2))) { 0x0D
        JSON.parse(`{"test":"0x02"}`);0x0D
    }0x0D
} catch {0x0D
    alert(2);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(3))) { 0x0D
        JSON.parse(`{"test":"0x03"}`);0x0D
    }0x0D
} catch {0x0D
    alert(3);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(4))) { 0x0D
        JSON.parse(`{"test":"0x04"}`);0x0D
    }0x0D
} catch {0x0D
    alert(4);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(5))) { 0x0D
        JSON.parse(`{"test":"0x05"}`);0x0D
    }0x0D
} catch {0x0D
    alert(5);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(6))) { 0x0D
        JSON.parse(`{"test":"0x06"}`);0x0D
    }0x0D
} catch {0x0D
    alert(6);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(7))) { 0x0D
        JSON.parse(`{"test":"0x07"}`);0x0D
    }0x0D
} catch {0x0D
    alert(7);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(8))) { 0x0D
        JSON.parse(`{"test":"0x08"}`);0x0D
    }0x0D
} catch {0x0D
    alert(8);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(11))) { 0x0D
        JSON.parse(`{"test":"0x0B"}`);0x0D
    }0x0D
} catch {0x0D
    alert(11);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(12))) { 0x0D
        JSON.parse(`{"test":"0x0C"}`);0x0D
    }0x0D
} catch {0x0D
    alert(12);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(14))) { 0x0D
        JSON.parse(`{"test":"0x0E"}`);0x0D
    }0x0D
} catch {0x0D
    alert(14);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(15))) { 0x0D
        JSON.parse(`{"test":"0x0F"}`);0x0D
    }0x0D
} catch {0x0D
    alert(15);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(16))) { 0x0D
        JSON.parse(`{"test":"0x10"}`);0x0D
    }0x0D
} catch {0x0D
    alert(16);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(17))) { 0x0D
        JSON.parse(`{"test":"0x11"}`);0x0D
    }0x0D
} catch {0x0D
    alert(17);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(18))) { 0x0D
        JSON.parse(`{"test":"0x12"}`);0x0D
    }0x0D
} catch {0x0D
    alert(18);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(19))) { 0x0D
        JSON.parse(`{"test":"0x13"}`);0x0D
    }0x0D
} catch {0x0D
    alert(19);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(20))) { 0x0D
        JSON.parse(`{"test":"0x14"}`);0x0D
    }0x0D
} catch {0x0D
    alert(20);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(21))) { 0x0D
        JSON.parse(`{"test":"0x15"}`);0x0D
    }0x0D
} catch {0x0D
    alert(21);0x0D
}0x0D

try {0x0D
    standard_chars = [0x0D
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
    ];0x0D
0x0D
    if (!standard_chars.includes(String.fromCodePoint(22))) { 0x0D
        JSON.parse(`{"test":"0x16"}`);0x0D
    }0x0D
} catch {0x0D
    alert(22);0x0D
}0x0D

Distributed Fuzzing

Non-standard characters that break JSON.parse()

Sample payloads

Fuzz results