Characters appended at the end of TLD within URL, which yield in the same host property

Characters ignored in URL, which yield in the same host property. This is just a simple modification of another fuzzing vector by hansmachine

Created Jan 10, 2025

Updated May 28, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

if (new URL("https://google.com$[chr]$[chr]/endpoint").host=="google.com"){log($[i])}

Sample payloads

if (new URL("https://google.com0x090x09/endpoint").host=="google.com"){alert(9)}

if (new URL("https://google.com##/endpoint").host=="google.com"){alert(35)}

if (new URL("https://google.com///endpoint").host=="google.com"){alert(47)}

if (new URL("https://google.com??/endpoint").host=="google.com"){alert(63)}

if (new URL("https://google.com\\/endpoint").host=="google.com"){alert(92)}

if (new URL("https://google.com/endpoint").host=="google.com"){alert(173)}

if (new URL("https://google.com͏͏/endpoint").host=="google.com"){alert(847)}

if (new URL("https://google.comᅟᅟ/endpoint").host=="google.com"){alert(4447)}

if (new URL("https://google.comᅠᅠ/endpoint").host=="google.com"){alert(4448)}

if (new URL("https://google.com឴឴/endpoint").host=="google.com"){alert(6068)}

if (new URL("https://google.com឵឵/endpoint").host=="google.com"){alert(6069)}

if (new URL("https://google.com᠋᠋/endpoint").host=="google.com"){alert(6155)}

if (new URL("https://google.com᠌᠌/endpoint").host=="google.com"){alert(6156)}

if (new URL("https://google.com᠍᠍/endpoint").host=="google.com"){alert(6157)}

if (new URL("https://google.com᠎᠎/endpoint").host=="google.com"){alert(6158)}

if (new URL("https://google.com᠏᠏/endpoint").host=="google.com"){alert(6159)}

if (new URL("https://google.com/endpoint").host=="google.com"){alert(8203)}

if (new URL("https://google.com⁠⁠/endpoint").host=="google.com"){alert(8288)}

if (new URL("https://google.com⁡⁡/endpoint").host=="google.com"){alert(8289)}

if (new URL("https://google.com⁢⁢/endpoint").host=="google.com"){alert(8290)}