Characters allowed before the JavaScript protocol
32
32
32
32This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before the JavaScript protocol. It uses a base tag to get round the sandboxed iframe problems.
Created byhackvertor
Created Jan 16, 2025
Updated May 28, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
Code used before fuzz:
<script>window.onerror=x=>true;</script>0x0D
<base href="https://example.com" />Template used:
<a href="$[chr]javascript:" id=x></a>Code used after fuzz:
x.protocol === 'javascript:' && log($[i])Sample payloads
<a href="0x01javascript:" id=x></a><a href="0x02javascript:" id=x></a><a href="0x03javascript:" id=x></a><a href="0x04javascript:" id=x></a><a href="0x05javascript:" id=x></a><a href="0x06javascript:" id=x></a><a href="0x07javascript:" id=x></a><a href="0x08javascript:" id=x></a><a href="0x09javascript:" id=x></a><a href="
javascript:" id=x></a><a href="0x0Bjavascript:" id=x></a><a href="0x0Cjavascript:" id=x></a><a href="0x0Djavascript:" id=x></a><a href="0x0Ejavascript:" id=x></a><a href="0x0Fjavascript:" id=x></a><a href="0x10javascript:" id=x></a><a href="0x11javascript:" id=x></a><a href="0x12javascript:" id=x></a><a href="0x13javascript:" id=x></a><a href="0x14javascript:" id=x></a>Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated
Sun Jan 25 2026
Found 32 results
Loading...
Chrome 132.0.0.0 desktop macOS 10.15.7older version
Updated
Fri Jan 17 2025
Found 32 results
Loading...
Firefox 147.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 32 results
Loading...
Firefox 134.0 desktop macOS 10.15older version
Updated
Thu Jan 16 2025
Found 32 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated
Mon Jan 26 2026
Found 32 results
Loading...
Safari 18.2 mobile iOS 18.2.1
Updated
Thu Jan 16 2025
Found 32 results
Loading...
Safari 18.2 desktop macOS 10.15.7
Updated
Fri Jan 17 2025
Found 32 results
Loading...