Chars in href that will not default to full URL

Chrome logo 2124

test

Created by: joaxcar

Created on: Saturday, November 16, 2024 at 10:35:16 PM

Updated on: Tuesday, December 10, 2024 at 5:32:41 PM

Vector type: XSS

Vector charset: UTF-8

Template used:
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="$[data1]<>";window.a.href.includes("http") ? false : log("$[data1]")</script>
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aacute;<>";window.a.href.includes("http") ? false : alert("&aacute;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Abreve;<>";window.a.href.includes("http") ? false : alert("&Abreve;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&abreve;<>";window.a.href.includes("http") ? false : alert("&abreve;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&ac;<>";window.a.href.includes("http") ? false : alert("&ac;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acd;<>";window.a.href.includes("http") ? false : alert("&acd;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acE;<>";window.a.href.includes("http") ? false : alert("&acE;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Acirc;<>";window.a.href.includes("http") ? false : alert("&Acirc;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acirc;<>";window.a.href.includes("http") ? false : alert("&acirc;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acute;<>";window.a.href.includes("http") ? false : alert("&acute;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Acy;<>";window.a.href.includes("http") ? false : alert("&Acy;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acy;<>";window.a.href.includes("http") ? false : alert("&acy;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&AElig;<>";window.a.href.includes("http") ? false : alert("&AElig;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aelig;<>";window.a.href.includes("http") ? false : alert("&aelig;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&af;<>";window.a.href.includes("http") ? false : alert("&af;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Afr;<>";window.a.href.includes("http") ? false : alert("&Afr;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&afr;<>";window.a.href.includes("http") ? false : alert("&afr;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Agrave;<>";window.a.href.includes("http") ? false : alert("&Agrave;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&agrave;<>";window.a.href.includes("http") ? false : alert("&agrave;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&alefsym;<>";window.a.href.includes("http") ? false : alert("&alefsym;")</script>
<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aleph;<>";window.a.href.includes("http") ? false : alert("&aleph;")</script>

Fuzz results

Chrome logo
Chrome 130.0.0.0 desktop macOS 10.15.7

Updated

Sat Nov 16 2024
Found 2124 results
Loading...