Characters allowed after slashes which result in an external URL
⚠ Browser differences
48
48
48
32This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters after double slashes. It uses a base tag to get round the sandboxed iframe problems.
Created byhackvertor
Created Jan 16, 2025
Updated May 27, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
Code used before fuzz:
<script>window.onerror=x=>true;</script>0x0D
<base href="https://example.com" />Template used:
<a href="//$[chr]example2.com" id=x></a>Code used after fuzz:
x.protocol === 'https:' && x.host === "example2.com" && log($[i])Sample payloads
<a href="//0x09example2.com" id=x></a><a href="//
example2.com" id=x></a><a href="//0x0Dexample2.com" id=x></a><a href="///example2.com" id=x></a><a href="//@example2.com" id=x></a><a href="//\example2.com" id=x></a><a href="//example2.com" id=x></a><a href="//͏example2.com" id=x></a><a href="//ᅟexample2.com" id=x></a><a href="//ᅠexample2.com" id=x></a><a href="//឴example2.com" id=x></a><a href="//឵example2.com" id=x></a><a href="//᠋example2.com" id=x></a><a href="//᠌example2.com" id=x></a><a href="//᠍example2.com" id=x></a><a href="//example2.com" id=x></a><a href="//᠏example2.com" id=x></a><a href="//example2.com" id=x></a><a href="//example2.com" id=x></a><a href="//example2.com" id=x></a>Fuzz results
Chrome 145.0.0.0 desktop macOS 10.15.7
Updated17 Feb 2026
Found 48 results
Loading...
Chrome 144.0.0.0 desktop Windows NT 10.0older version
Updated17 Feb 2026
Found 48 results
Loading...
Firefox 148.0 desktop Windows NT 10.0
Updated23 Feb 2026
Found 48 results
Loading...
Firefox 147.0 desktop Linuxolder version
Updated1 Feb 2026
Found 48 results
Loading...
Firefox 134.0 desktop macOS 10.15older version
Updated16 Jan 2025
Found 32 results
Loading...
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 48 results
Loading...
Safari 18.2 desktop macOS 10.15.7
Updated17 Jan 2025
Found 32 results
Loading...