Characters allowed in the protocol that still resolve host name
68
68
68
68This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826
Created by: hackvertor
Created on: Tuesday, May 6, 2025 at 11:19:01 AM
Updated on: Wednesday, May 28, 2025 at 5:06:20 PM
Detecting browser...
Category: URL Handling
Vector visibility: Public
Vector type: JS
Vector charset: UTF-8
Template used:
let chr = String.fromCodePoint($[i]);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && log($[i])Sample payloads
let chr = String.fromCodePoint(9);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(9)let chr = String.fromCodePoint(10);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(10)let chr = String.fromCodePoint(13);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(13)let chr = String.fromCodePoint(43);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(43)let chr = String.fromCodePoint(45);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(45)let chr = String.fromCodePoint(46);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(46)let chr = String.fromCodePoint(48);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(48)let chr = String.fromCodePoint(49);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(49)let chr = String.fromCodePoint(50);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(50)let chr = String.fromCodePoint(51);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(51)let chr = String.fromCodePoint(52);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(52)let chr = String.fromCodePoint(53);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(53)let chr = String.fromCodePoint(54);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(54)let chr = String.fromCodePoint(55);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(55)let chr = String.fromCodePoint(56);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(56)let chr = String.fromCodePoint(57);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(57)let chr = String.fromCodePoint(65);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(65)let chr = String.fromCodePoint(66);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(66)let chr = String.fromCodePoint(67);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(67)let chr = String.fromCodePoint(68);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(68)Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated
Sun Jan 25 2026
Found 68 results
Loading...
Chrome 137.0.0.0 desktop macOS 10.15.7older version
Updated
Mon May 26 2025
Found 68 results
Loading...
Firefox 147.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 68 results
Loading...
Firefox 138.0 desktop macOS 10.15older version
Updated
Tue May 06 2025
Found 68 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated
Mon Jan 26 2026
Found 68 results
Loading...
Microsoft Edge 136.0.0.0 desktop macOS 10.15.7older version
Updated
Thu May 29 2025
Found 68 results
Loading...
Safari 18.4 desktop macOS 10.15.7
Updated
Tue May 06 2025
Found 68 results
Loading...