Characters allowed after slashes which result in an external URL

Chrome logo 32
Firefox logo 32
Safari logo 32

This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters after double slashes. It uses a base tag to get round the sandboxed iframe problems.

Created by: hackvertor

Created on: Thursday, January 16, 2025 at 6:59:16 PM

Updated on: Thursday, January 16, 2025 at 6:59:16 PM

Vector type: XSS

Vector charset: UTF-8

Code used before fuzz:
<script>window.onerror=x=>true;</script>
<base href="https://example.com" />
Template used:
<a href="//$[chr]example2.com" id=x></a>
Code used after fuzz:
x.protocol === 'https:' && x.host === "example2.com" && log($[i])
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a href="//	example2.com" id=x></a>
<a href="//
example2.com" id=x></a>
<a href="//
example2.com" id=x></a>
<a href="///example2.com" id=x></a>
<a href="//@example2.com" id=x></a>
<a href="//\example2.com" id=x></a>
<a href="//­example2.com" id=x></a>
<a href="//͏example2.com" id=x></a>
<a href="//᠋example2.com" id=x></a>
<a href="//᠌example2.com" id=x></a>
<a href="//᠍example2.com" id=x></a>
<a href="//᠏example2.com" id=x></a>
<a href="//​example2.com" id=x></a>
<a href="//⁠example2.com" id=x></a>
<a href="//⁤example2.com" id=x></a>
<a href="//︀example2.com" id=x></a>
<a href="//︁example2.com" id=x></a>
<a href="//︂example2.com" id=x></a>
<a href="//︃example2.com" id=x></a>
<a href="//︄example2.com" id=x></a>

Fuzz results

Chrome logo
Chrome 132.0.0.0 desktop macOS 10.15.7

Updated

Thu Jan 16 2025
Found 32 results
Loading...
Firefox logo
Firefox 134.0 desktop macOS 10.15

Updated

Thu Jan 16 2025
Found 32 results
Loading...
Safari logo
Safari 17.4 desktop macOS 10.15.7

Updated

Thu Jan 16 2025
Found 32 results
Loading...