Shazzer logo

    Unicode characters that get normalized into path traversal characters

    Firefox logo 12
    Chrome logo 12

    This vector performs normalization and compares to see if the characters get normalized into path traversal characters

    Created by: hackvertor

    Created on: Thursday, December 12, 2024 at 12:54:59 PM

    Updated on: Wednesday, May 28, 2025 at 2:54:32 AM


    Category: JavaScript Syntax

    Vector visibility: Public

    Vector type: JS

    Vector charset: UTF-8

    Code used before fuzz:
    const charsToCheck = ["\\","/","."];
const normalizationForms = ["NFKC", "NFC", "NFD", "NFKD"];
    Template used:
    $[i] > 0x7f && normalizationForms.forEach(form => {
    const normalized = String.fromCodePoint($[i]).normalize(form);
    for(let charToCheck of charsToCheck) {
       if(charToCheck === normalized) {
            log(String.fromCodePoint($[i])+"("+form+")"+"="+charToCheck);
        }
     }
})
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    0 > 0x7f && normalizationForms.forEach(form => {
    const normalized = String.fromCodePoint(0).normalize(form);
    for(let charToCheck of charsToCheck) {
       if(charToCheck === normalized) {
            alert(String.fromCodePoint(0)+"("+form+")"+"="+charToCheck);
        }
     }
})

    Fuzz results

    Firefox logo
    Firefox 139.0 desktop macOS 10.15

    Updated

    Sat May 31 2025
    Found 12 results
    Loading...
    Chrome logo
    Chrome 138.0.0.0 desktop Windows NT 10.0

    Updated

    Sat Aug 02 2025
    Found 12 results
    Loading...
    Chrome logo
    Chrome 141.0.0.0 desktop macOS 10.15.7

    Updated

    Wed Oct 29 2025
    Found 12 results
    Loading...