Chars in href that will not default to full URL
2124
test
Created by: joaxcar
Created on: Saturday, November 16, 2024 at 10:35:16 PM
Updated on: Tuesday, December 10, 2024 at 5:32:41 PM
Vector type: XSS
Vector charset: UTF-8
Template used:
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="$[data1]<>";window.a.href.includes("http") ? false : log("$[data1]")</script>
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="á<>";window.a.href.includes("http") ? false : alert("á")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="Ă<>";window.a.href.includes("http") ? false : alert("Ă")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="ă<>";window.a.href.includes("http") ? false : alert("ă")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="∾<>";window.a.href.includes("http") ? false : alert("∾")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="∿<>";window.a.href.includes("http") ? false : alert("∿")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="∾̳<>";window.a.href.includes("http") ? false : alert("∾̳")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="Â<>";window.a.href.includes("http") ? false : alert("Â")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="â<>";window.a.href.includes("http") ? false : alert("â")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="´<>";window.a.href.includes("http") ? false : alert("´")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="А<>";window.a.href.includes("http") ? false : alert("А")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="а<>";window.a.href.includes("http") ? false : alert("а")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="Æ<>";window.a.href.includes("http") ? false : alert("Æ")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="æ<>";window.a.href.includes("http") ? false : alert("æ")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="⁡<>";window.a.href.includes("http") ? false : alert("⁡")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="𝔄<>";window.a.href.includes("http") ? false : alert("𝔄")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="𝔞<>";window.a.href.includes("http") ? false : alert("𝔞")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="À<>";window.a.href.includes("http") ? false : alert("À")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="à<>";window.a.href.includes("http") ? false : alert("à")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="ℵ<>";window.a.href.includes("http") ? false : alert("ℵ")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="ℵ<>";window.a.href.includes("http") ? false : alert("ℵ")</script>
Fuzz results
Chrome 130.0.0.0 desktop macOS 10.15.7
Updated
Sat Nov 16 2024
Found 2124 results
Loading...