Chars in href that will not default to full URL

2124

test

Created by: joaxcar

Created on: Saturday, November 16, 2024 at 10:35:16 PM

Updated on: Thursday, November 21, 2024 at 5:00:17 AM

Vector type: XSS

Vector charset: UTF-8

Template used:

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="$[data1]<>";window.a.href.includes("http") ? false : log("$[data1]")</script>

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aacute;<>";window.a.href.includes("http") ? false : alert("&aacute;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Abreve;<>";window.a.href.includes("http") ? false : alert("&Abreve;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&abreve;<>";window.a.href.includes("http") ? false : alert("&abreve;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&ac;<>";window.a.href.includes("http") ? false : alert("&ac;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acd;<>";window.a.href.includes("http") ? false : alert("&acd;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acE;<>";window.a.href.includes("http") ? false : alert("&acE;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Acirc;<>";window.a.href.includes("http") ? false : alert("&Acirc;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acirc;<>";window.a.href.includes("http") ? false : alert("&acirc;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acute;<>";window.a.href.includes("http") ? false : alert("&acute;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Acy;<>";window.a.href.includes("http") ? false : alert("&Acy;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acy;<>";window.a.href.includes("http") ? false : alert("&acy;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&AElig;<>";window.a.href.includes("http") ? false : alert("&AElig;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aelig;<>";window.a.href.includes("http") ? false : alert("&aelig;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&af;<>";window.a.href.includes("http") ? false : alert("&af;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Afr;<>";window.a.href.includes("http") ? false : alert("&Afr;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&afr;<>";window.a.href.includes("http") ? false : alert("&afr;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Agrave;<>";window.a.href.includes("http") ? false : alert("&Agrave;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&agrave;<>";window.a.href.includes("http") ? false : alert("&agrave;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&alefsym;<>";window.a.href.includes("http") ? false : alert("&alefsym;")</script>

<base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aleph;<>";window.a.href.includes("http") ? false : alert("&aleph;")</script>

Chrome 130.0.0.0 desktop macOS 10.15.7

Updated

Sat Nov 16 2024

Found 2124 results

Show differences only?

Filter out alphanumeric

Sort ascending