Non-standard characters that break JSON.parse()
29
29Characters that will break a JSON.parse() that do not include chars within standard JSON-format.
Created by: DreyAnd
Created on: Friday, November 15, 2024 at 12:28:16 AM
Updated on: Tuesday, May 27, 2025 at 8:12:50 AM
Category: XSS Execution
Vector visibility: Public
Vector type: JS
Vector charset: UTF-8
Template used:
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint($[i]))) { 0x0D
JSON.parse(`{"test":"$[chr]"}`);0x0D
}0x0D
} catch {0x0D
log($[i]);0x0D
}0x0D
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(0))) { 0x0D
JSON.parse(`{"test":"0x00"}`);0x0D
}0x0D
} catch {0x0D
alert(0);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(1))) { 0x0D
JSON.parse(`{"test":"0x01"}`);0x0D
}0x0D
} catch {0x0D
alert(1);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(2))) { 0x0D
JSON.parse(`{"test":"0x02"}`);0x0D
}0x0D
} catch {0x0D
alert(2);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(3))) { 0x0D
JSON.parse(`{"test":"0x03"}`);0x0D
}0x0D
} catch {0x0D
alert(3);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(4))) { 0x0D
JSON.parse(`{"test":"0x04"}`);0x0D
}0x0D
} catch {0x0D
alert(4);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(5))) { 0x0D
JSON.parse(`{"test":"0x05"}`);0x0D
}0x0D
} catch {0x0D
alert(5);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(6))) { 0x0D
JSON.parse(`{"test":"0x06"}`);0x0D
}0x0D
} catch {0x0D
alert(6);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(7))) { 0x0D
JSON.parse(`{"test":"0x07"}`);0x0D
}0x0D
} catch {0x0D
alert(7);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(8))) { 0x0D
JSON.parse(`{"test":"0x08"}`);0x0D
}0x0D
} catch {0x0D
alert(8);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(11))) { 0x0D
JSON.parse(`{"test":"0x0B"}`);0x0D
}0x0D
} catch {0x0D
alert(11);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(12))) { 0x0D
JSON.parse(`{"test":"0x0C"}`);0x0D
}0x0D
} catch {0x0D
alert(12);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(14))) { 0x0D
JSON.parse(`{"test":"0x0E"}`);0x0D
}0x0D
} catch {0x0D
alert(14);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(15))) { 0x0D
JSON.parse(`{"test":"0x0F"}`);0x0D
}0x0D
} catch {0x0D
alert(15);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(16))) { 0x0D
JSON.parse(`{"test":"0x10"}`);0x0D
}0x0D
} catch {0x0D
alert(16);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(17))) { 0x0D
JSON.parse(`{"test":"0x11"}`);0x0D
}0x0D
} catch {0x0D
alert(17);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(18))) { 0x0D
JSON.parse(`{"test":"0x12"}`);0x0D
}0x0D
} catch {0x0D
alert(18);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(19))) { 0x0D
JSON.parse(`{"test":"0x13"}`);0x0D
}0x0D
} catch {0x0D
alert(19);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(20))) { 0x0D
JSON.parse(`{"test":"0x14"}`);0x0D
}0x0D
} catch {0x0D
alert(20);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(21))) { 0x0D
JSON.parse(`{"test":"0x15"}`);0x0D
}0x0D
} catch {0x0D
alert(21);0x0D
}0x0D
try {0x0D
standard_chars = [0x0D
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`0x0D
];0x0D
0x0D
if (!standard_chars.includes(String.fromCodePoint(22))) { 0x0D
JSON.parse(`{"test":"0x16"}`);0x0D
}0x0D
} catch {0x0D
alert(22);0x0D
}0x0D
Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated
Sun Jan 25 2026
Found 29 results
Loading...
Chrome 127.0.0.0 desktop Linux Unknownolder version
Updated
Fri Nov 15 2024
Found 29 results
Loading...
Safari 18.6 mobile iOS 18.6
Updated
Wed Aug 20 2025
Found 29 results
Loading...