Characters allowed between slashes using XSS type

This is an example how you can use the XSS type to fuzz URLs. It uses a base tag to get round the sandboxed iframe problems.

Created by: hackvertor

Created on: Thursday, January 16, 2025 at 6:47:50 PM

Updated on: Thursday, January 16, 2025 at 6:47:50 PM

Vector type: XSS

Vector charset: UTF-8

Code used before fuzz:

<script>window.onerror=x=>true;</script>
<base href="https://example.com" />

Template used:
<a href="/$[chr]/example2.com" id=x></a>

Code used after fuzz:
x.host === "example2.com" && log($[i])

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a href="/ /example2.com" id=x></a>

<a href="/
/example2.com" id=x></a>

<a href="/
/example2.com" id=x></a>

<a href="///example2.com" id=x></a><a href="/\/example2.com" id=x></a>

Chrome 132.0.0.0 desktop macOS 10.15.7

Updated

Thu Jan 16 2025

Found 5 results

Show differences only?

Filter out alphanumeric

Sort ascending

Firefox 134.0 desktop macOS 10.15

Updated

Thu Jan 16 2025

Found 5 results

Show differences only?

Filter out alphanumeric

Sort ascending

Safari 18.2 mobile iOS 18.2.1

Updated

Thu Jan 16 2025

Found 5 results

Show differences only?

Filter out alphanumeric

Sort ascending