34
34
34
34This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before double slashes. It uses a base tag to get round the sandboxed iframe problems.
<script>window.onerror=x=>true;</script>0x0D
<base href="https://example.com" /><a href="$[chr]//example2.com" id=x></a>x.protocol === 'https:' && x.host === "example2.com" && log($[i])<a href="0x01//example2.com" id=x></a><a href="0x02//example2.com" id=x></a><a href="0x03//example2.com" id=x></a><a href="0x04//example2.com" id=x></a><a href="0x05//example2.com" id=x></a><a href="0x06//example2.com" id=x></a><a href="0x07//example2.com" id=x></a><a href="0x08//example2.com" id=x></a><a href="0x09//example2.com" id=x></a><a href="
//example2.com" id=x></a><a href="0x0B//example2.com" id=x></a><a href="0x0C//example2.com" id=x></a><a href="0x0D//example2.com" id=x></a><a href="0x0E//example2.com" id=x></a><a href="0x0F//example2.com" id=x></a><a href="0x10//example2.com" id=x></a><a href="0x11//example2.com" id=x></a><a href="0x12//example2.com" id=x></a><a href="0x13//example2.com" id=x></a><a href="0x14//example2.com" id=x></a>