Shazzer logo

Characters allowed before the JavaScript protocol

Chrome logo 32
Firefox logo 32
Edge logo 32
Safari logo 32

This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before the JavaScript protocol. It uses a base tag to get round the sandboxed iframe problems.

hackvertor
Created byhackvertor
Created Jan 16, 2025
Updated May 28, 2025

Tweet
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
Code used before fuzz:
<script>window.onerror=x=>true;</script>0x0D
<base href="https://example.com" />
Template used:
<a href="$[chr]javascript:" id=x></a>
Code used after fuzz:
x.protocol === 'javascript:' && log($[i])

Sample payloads

<a href="0x01javascript:" id=x></a>
<a href="0x02javascript:" id=x></a>
<a href="0x03javascript:" id=x></a>
<a href="0x04javascript:" id=x></a>
<a href="0x05javascript:" id=x></a>
<a href="0x06javascript:" id=x></a>
<a href="0x07javascript:" id=x></a>
<a href="0x08javascript:" id=x></a>
<a href="0x09javascript:" id=x></a>
<a href="
javascript:" id=x></a>
<a href="0x0Bjavascript:" id=x></a>
<a href="0x0Cjavascript:" id=x></a>
<a href="0x0Djavascript:" id=x></a>
<a href="0x0Ejavascript:" id=x></a>
<a href="0x0Fjavascript:" id=x></a>
<a href="0x10javascript:" id=x></a>
<a href="0x11javascript:" id=x></a>
<a href="0x12javascript:" id=x></a>
<a href="0x13javascript:" id=x></a>
<a href="0x14javascript:" id=x></a>

Fuzz results

Chrome logo
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 32 results
Loading...
Chrome logo
Chrome 132.0.0.0 desktop macOS 10.15.7older version
Updated17 Jan 2025
Found 32 results
Loading...
Firefox logo
Firefox 147.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 32 results
Loading...
Firefox logo
Firefox 134.0 desktop macOS 10.15older version
Updated16 Jan 2025
Found 32 results
Loading...
Edge logo
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated17 Feb 2026
Found 32 results
Loading...
Safari logo
Safari 18.2 mobile iOS 18.2.1
Updated16 Jan 2025
Found 32 results
Loading...
Safari logo
Safari 18.2 desktop macOS 10.15.7
Updated17 Jan 2025
Found 32 results
Loading...