Shazzer logo
Login

Find WAF bypass for eval context

⚠ Browser differences
Firefox logo 50.7k
Edge logo 50.7k
Chrome logo 50.7k

Find what characters are allowable inside `javascript` in `eval` (redundant much?)

Created by: elieehel

Created on: Friday, November 22, 2024 at 4:20:16 PM

Updated on: Wednesday, May 28, 2025 at 5:06:04 PM


Detecting browser...

Category: JavaScript Syntax

Vector visibility: Public

Vector type: JS

Vector charset: UTF-8

Code used before fuzz:
let v = '';
Template used:
try { v = "javasc$[chr]ript$[chr]:(1)"; if (eval(v)) { console.log(v); log('$[i]') } } catch(e) { v = '' }
Code used after fuzz:
console.log("after fuzz", v);

Sample payloads

try { v = "javasc$ript$:(1)"; if (eval(v)) { console.alert(v); alert('36') } } catch(e) { v = '' }
try { v = "javasc_ript_:(1)"; if (eval(v)) { console.alert(v); alert('95') } } catch(e) { v = '' }
try { v = "javascªriptª:(1)"; if (eval(v)) { console.alert(v); alert('170') } } catch(e) { v = '' }
try { v = "javascµriptµ:(1)"; if (eval(v)) { console.alert(v); alert('181') } } catch(e) { v = '' }
try { v = "javasc·ript·:(1)"; if (eval(v)) { console.alert(v); alert('183') } } catch(e) { v = '' }
try { v = "javascºriptº:(1)"; if (eval(v)) { console.alert(v); alert('186') } } catch(e) { v = '' }
try { v = "javascˬriptˬ:(1)"; if (eval(v)) { console.alert(v); alert('748') } } catch(e) { v = '' }
try { v = "javascˮriptˮ:(1)"; if (eval(v)) { console.alert(v); alert('750') } } catch(e) { v = '' }
try { v = "javascͿriptͿ:(1)"; if (eval(v)) { console.alert(v); alert('895') } } catch(e) { v = '' }
try { v = "javascΌriptΌ:(1)"; if (eval(v)) { console.alert(v); alert('908') } } catch(e) { v = '' }
try { v = "javascՙriptՙ:(1)"; if (eval(v)) { console.alert(v); alert('1369') } } catch(e) { v = '' }
try { v = "javascֿriptֿ:(1)"; if (eval(v)) { console.alert(v); alert('1471') } } catch(e) { v = '' }
try { v = "javascׇriptׇ:(1)"; if (eval(v)) { console.alert(v); alert('1479') } } catch(e) { v = '' }
try { v = "javascۿriptۿ:(1)"; if (eval(v)) { console.alert(v); alert('1791') } } catch(e) { v = '' }
try { v = "javascߺriptߺ:(1)"; if (eval(v)) { console.alert(v); alert('2042') } } catch(e) { v = '' }
try { v = "javasc߽ript߽:(1)"; if (eval(v)) { console.alert(v); alert('2045') } } catch(e) { v = '' }
try { v = "javascলriptল:(1)"; if (eval(v)) { console.alert(v); alert('2482') } } catch(e) { v = '' }
try { v = "javascৗriptৗ:(1)"; if (eval(v)) { console.alert(v); alert('2519') } } catch(e) { v = '' }
try { v = "javascৼriptৼ:(1)"; if (eval(v)) { console.alert(v); alert('2556') } } catch(e) { v = '' }

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop Windows NT 10.0

Updated

Sun Jan 25 2026
Found 50764 results
Loading...
Firefox logo
Firefox 147.0 desktop Windows NT 10.0

Updated

Tue Jan 27 2026
Found 50799 results
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Mon Jan 26 2026
Found 50764 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.