Characters allowed in the protocol that still resolve host name

Chrome logo 68
Firefox logo 68
Safari logo 68

This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826

Created by: hackvertor

Created on: Tuesday, May 6, 2025 at 11:19:01 AM

Updated on: Thursday, May 8, 2025 at 7:07:03 AM

Vector type: JS

Vector charset: UTF-8

Template used:
let chr = String.fromCodePoint($[i]);
new URL("foo"+chr+"bar://example.com").host === "example.com" && log($[i])
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

let chr = String.fromCodePoint(9);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(9)
let chr = String.fromCodePoint(10);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(10)
let chr = String.fromCodePoint(13);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(13)
let chr = String.fromCodePoint(43);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(43)
let chr = String.fromCodePoint(45);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(45)
let chr = String.fromCodePoint(46);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(46)
let chr = String.fromCodePoint(48);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(48)
let chr = String.fromCodePoint(49);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(49)
let chr = String.fromCodePoint(50);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(50)
let chr = String.fromCodePoint(51);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(51)
let chr = String.fromCodePoint(52);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(52)
let chr = String.fromCodePoint(53);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(53)
let chr = String.fromCodePoint(54);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(54)
let chr = String.fromCodePoint(55);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(55)
let chr = String.fromCodePoint(56);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(56)
let chr = String.fromCodePoint(57);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(57)
let chr = String.fromCodePoint(65);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(65)
let chr = String.fromCodePoint(66);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(66)
let chr = String.fromCodePoint(67);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(67)
let chr = String.fromCodePoint(68);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(68)

Fuzz results

Chrome logo
Chrome 136.0.0.0 desktop macOS 10.15.7

Updated

Tue May 06 2025
Found 68 results
Loading...
Firefox logo
Firefox 138.0 desktop macOS 10.15

Updated

Tue May 06 2025
Found 68 results
Loading...
Safari logo
Safari 18.4 desktop macOS 10.15.7

Updated

Tue May 06 2025
Found 68 results
Loading...