Shazzer logo

    Non-standard characters that break JSON.parse()

    Chrome logo 29
    Safari logo 29

    Characters that will break a JSON.parse() that do not include chars within standard JSON-format.

    Created by: DreyAnd

    Created on: Friday, November 15, 2024 at 12:28:16 AM

    Updated on: Tuesday, May 27, 2025 at 8:12:50 AM


    Category: XSS Execution

    Vector visibility: Public

    Vector type: JS

    Vector charset: UTF-8

    Template used:
    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint($[i]))) { 
        JSON.parse(`{"test":"$[chr]"}`);
    }
} catch {
    log($[i]);
}
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(0))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(0);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(1))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(1);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(2))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(2);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(3))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(3);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(4))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(4);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(5))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(5);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(6))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(6);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(7))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(7);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(8))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(8);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(11))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(11);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(12))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(12);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(14))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(14);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(15))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(15);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(16))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(16);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(17))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(17);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(18))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(18);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(19))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(19);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(20))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(20);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(21))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(21);
}

    try {
    standard_chars = [
        `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
    ];

    if (!standard_chars.includes(String.fromCodePoint(22))) { 
        JSON.parse(`{"test":""}`);
    }
} catch {
    alert(22);
}

    Fuzz results

    Chrome logo
    Chrome 127.0.0.0 desktop Linux Unknown

    Updated

    Fri Nov 15 2024
    Found 29 results
    Loading...
    Safari logo
    Safari 18.6 mobile iOS 18.6

    Updated

    Wed Aug 20 2025
    Found 29 results
    Loading...