Characters allowed before slashes which result in an external URL

This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before double slashes. It uses a base tag to get round the sandboxed iframe problems.

Created byhackvertor

Created Jan 16, 2025

Updated May 27, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeXSS

CharsetUTF-8

Code used before fuzz:

<script>window.onerror=x=>true;</script>0x0D
<base href="https://example.com" />

Template used:

<a href="$[chr]//example2.com" id=x></a>

Code used after fuzz:

x.protocol === 'https:' && x.host === "example2.com" && log($[i])

Sample payloads

<a href="0x01//example2.com" id=x></a>

<a href="0x02//example2.com" id=x></a>

<a href="0x03//example2.com" id=x></a>

<a href="0x04//example2.com" id=x></a>

<a href="0x05//example2.com" id=x></a>

<a href="0x06//example2.com" id=x></a>

<a href="0x07//example2.com" id=x></a>

<a href="0x08//example2.com" id=x></a>

<a href="0x09//example2.com" id=x></a>

<a href="
//example2.com" id=x></a>

<a href="0x0B//example2.com" id=x></a>

<a href="0x0C//example2.com" id=x></a>

<a href="0x0D//example2.com" id=x></a>

<a href="0x0E//example2.com" id=x></a>

<a href="0x0F//example2.com" id=x></a>

<a href="0x10//example2.com" id=x></a>

<a href="0x11//example2.com" id=x></a>

<a href="0x12//example2.com" id=x></a>

<a href="0x13//example2.com" id=x></a>

<a href="0x14//example2.com" id=x></a>

Characters allowed before slashes which result in an external URL

Sample payloads

Fuzz results

Distributed Fuzzing