Shazzer logo
Login

Find WAF bypass for eval context

⚠ Browser differences
Chrome logo 50.7k
Firefox logo 50.7k
Edge logo 50.7k
Safari logo 50.7k

Find what characters are allowable inside `javascript` in `eval` (redundant much?)

elieehel
Created byelieehel
Created Nov 22, 2024
Updated May 28, 2025

Tweet
Detecting browser...
CategoryJavaScript Syntax
VisibilityPublic
TypeJS
CharsetUTF-8
Code used before fuzz:
let v = '';
Template used:
try { v = "javasc$[chr]ript$[chr]:(1)"; if (eval(v)) { console.log(v); log('$[i]') } } catch(e) { v = '' }
Code used after fuzz:
console.log("after fuzz", v);

Sample payloads

try { v = "javasc$ript$:(1)"; if (eval(v)) { console.alert(v); alert('36') } } catch(e) { v = '' }
try { v = "javasc_ript_:(1)"; if (eval(v)) { console.alert(v); alert('95') } } catch(e) { v = '' }
try { v = "javascªriptª:(1)"; if (eval(v)) { console.alert(v); alert('170') } } catch(e) { v = '' }
try { v = "javascµriptµ:(1)"; if (eval(v)) { console.alert(v); alert('181') } } catch(e) { v = '' }
try { v = "javasc·ript·:(1)"; if (eval(v)) { console.alert(v); alert('183') } } catch(e) { v = '' }
try { v = "javascºriptº:(1)"; if (eval(v)) { console.alert(v); alert('186') } } catch(e) { v = '' }
try { v = "javascˬriptˬ:(1)"; if (eval(v)) { console.alert(v); alert('748') } } catch(e) { v = '' }
try { v = "javascˮriptˮ:(1)"; if (eval(v)) { console.alert(v); alert('750') } } catch(e) { v = '' }
try { v = "javascͿriptͿ:(1)"; if (eval(v)) { console.alert(v); alert('895') } } catch(e) { v = '' }
try { v = "javascΌriptΌ:(1)"; if (eval(v)) { console.alert(v); alert('908') } } catch(e) { v = '' }
try { v = "javascՙriptՙ:(1)"; if (eval(v)) { console.alert(v); alert('1369') } } catch(e) { v = '' }
try { v = "javascֿriptֿ:(1)"; if (eval(v)) { console.alert(v); alert('1471') } } catch(e) { v = '' }
try { v = "javascׇriptׇ:(1)"; if (eval(v)) { console.alert(v); alert('1479') } } catch(e) { v = '' }
try { v = "javascۿriptۿ:(1)"; if (eval(v)) { console.alert(v); alert('1791') } } catch(e) { v = '' }
try { v = "javascߺriptߺ:(1)"; if (eval(v)) { console.alert(v); alert('2042') } } catch(e) { v = '' }
try { v = "javasc߽ript߽:(1)"; if (eval(v)) { console.alert(v); alert('2045') } } catch(e) { v = '' }
try { v = "javascলriptল:(1)"; if (eval(v)) { console.alert(v); alert('2482') } } catch(e) { v = '' }
try { v = "javascৗriptৗ:(1)"; if (eval(v)) { console.alert(v); alert('2519') } } catch(e) { v = '' }
try { v = "javascৼriptৼ:(1)"; if (eval(v)) { console.alert(v); alert('2556') } } catch(e) { v = '' }

Fuzz results

Chrome logo
Chrome 148.0.0.0 desktop Windows NT 10.0
Updated15 Mar 2026
Found 50764 results
Loading...
Firefox logo
Firefox 149.0 desktop macOS 10.15
Updated3 Apr 2026
Found 50799 results
Loading...
Firefox logo
Firefox 148.0 desktop Windows NT 10.0older version
Updated23 Feb 2026
Found 50799 results
Loading...
Edge logo
Microsoft Edge 146.0.0.0 desktop Windows NT 10.0
Updated31 Mar 2026
Found 50764 results
Loading...
Safari logo
Safari 0 mobile iOS 16.5.1
Updated4 Apr 2026
Found 50753 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.