Shazzer logo
Login

Characters allowed in the protocol that still resolve host name

Chrome logo 68
Firefox logo 68
Edge logo 68
Safari logo 68

This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826

hackvertor
Created byhackvertor
Created May 6, 2025
Updated May 28, 2025

Tweet
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
let chr = String.fromCodePoint($[i]);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && log($[i])

Sample payloads

let chr = String.fromCodePoint(9);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(9)
let chr = String.fromCodePoint(10);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(10)
let chr = String.fromCodePoint(13);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(13)
let chr = String.fromCodePoint(43);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(43)
let chr = String.fromCodePoint(45);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(45)
let chr = String.fromCodePoint(46);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(46)
let chr = String.fromCodePoint(48);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(48)
let chr = String.fromCodePoint(49);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(49)
let chr = String.fromCodePoint(50);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(50)
let chr = String.fromCodePoint(51);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(51)
let chr = String.fromCodePoint(52);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(52)
let chr = String.fromCodePoint(53);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(53)
let chr = String.fromCodePoint(54);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(54)
let chr = String.fromCodePoint(55);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(55)
let chr = String.fromCodePoint(56);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(56)
let chr = String.fromCodePoint(57);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(57)
let chr = String.fromCodePoint(65);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(65)
let chr = String.fromCodePoint(66);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(66)
let chr = String.fromCodePoint(67);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(67)
let chr = String.fromCodePoint(68);0x0D
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(68)

Fuzz results

Chrome logo
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 68 results
Loading...
Chrome logo
Chrome 137.0.0.0 desktop macOS 10.15.7older version
Updated26 May 2025
Found 68 results
Loading...
Firefox logo
Firefox 148.0 desktop Windows NT 10.0
Updated23 Feb 2026
Found 68 results
Loading...
Firefox logo
Firefox 138.0 desktop macOS 10.15older version
Updated6 May 2025
Found 68 results
Loading...
Edge logo
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 68 results
Loading...
Edge logo
Microsoft Edge 136.0.0.0 desktop macOS 10.15.7older version
Updated29 May 2025
Found 68 results
Loading...
Safari logo
Safari 18.4 desktop macOS 10.15.7
Updated6 May 2025
Found 68 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.