Characters allowed between slashes using XSS type
5
5
5
5This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.
Created byhackvertor
Created Jan 16, 2025
Updated May 27, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
Code used before fuzz:
<script>window.onerror=x=>true;</script>0x0D
<base href="https://example.com" />Template used:
<a href="/$[chr]/example2.com" id=x></a>Code used after fuzz:
x.host === "example2.com" && log($[i])Sample payloads
<a href="/0x09/example2.com" id=x></a><a href="/
/example2.com" id=x></a><a href="/0x0D/example2.com" id=x></a><a href="///example2.com" id=x></a><a href="/\/example2.com" id=x></a>Fuzz results
Chrome 145.0.0.0 desktop macOS 10.15.7
Updated17 Feb 2026
Found 5 results
Loading...
Chrome 144.0.0.0 desktop Windows NT 10.0older version
Updated17 Feb 2026
Found 5 results
Loading...
Firefox 148.0 desktop Windows NT 10.0
Updated23 Feb 2026
Found 5 results
Loading...
Firefox 147.0 desktop Linuxolder version
Updated1 Feb 2026
Found 5 results
Loading...
Firefox 140.0 desktop Linux Unknownolder version
Updated28 Oct 2025
Found 5 results
Loading...
Firefox 134.0 desktop macOS 10.15older version
Updated16 Jan 2025
Found 5 results
Loading...
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 5 results
Loading...
Safari 18.2 desktop macOS 10.15.7
Updated17 Jan 2025
Found 5 results
Loading...
Safari 18.2 mobile iOS 18.2.1
Updated16 Jan 2025
Found 5 results
Loading...