Shazzer logo

    Characters allowed in the protocol that still resolve host name

    Chrome logo 68
    Firefox logo 68
    Safari logo 68

    This vector demonstrates which characters are allowed in the protocol section of the URL but still resolve to example.com. Based on the following tweet: https://x.com/0xMstar/status/1918577367062331826

    Created by: hackvertor

    Created on: Tuesday, May 6, 2025 at 11:19:01 AM

    Updated on: Friday, May 23, 2025 at 5:03:06 PM

    Vector type: JS

    Vector charset: UTF-8

    Template used:
    let chr = String.fromCodePoint($[i]);
new URL("foo"+chr+"bar://example.com").host === "example.com" && log($[i])
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    let chr = String.fromCodePoint(9);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(9)
    let chr = String.fromCodePoint(10);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(10)
    let chr = String.fromCodePoint(13);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(13)
    let chr = String.fromCodePoint(43);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(43)
    let chr = String.fromCodePoint(45);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(45)
    let chr = String.fromCodePoint(46);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(46)
    let chr = String.fromCodePoint(48);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(48)
    let chr = String.fromCodePoint(49);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(49)
    let chr = String.fromCodePoint(50);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(50)
    let chr = String.fromCodePoint(51);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(51)
    let chr = String.fromCodePoint(52);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(52)
    let chr = String.fromCodePoint(53);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(53)
    let chr = String.fromCodePoint(54);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(54)
    let chr = String.fromCodePoint(55);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(55)
    let chr = String.fromCodePoint(56);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(56)
    let chr = String.fromCodePoint(57);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(57)
    let chr = String.fromCodePoint(65);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(65)
    let chr = String.fromCodePoint(66);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(66)
    let chr = String.fromCodePoint(67);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(67)
    let chr = String.fromCodePoint(68);
new URL("foo"+chr+"bar://example.com").host === "example.com" && alert(68)

    Fuzz results

    Chrome logo
    Chrome 136.0.0.0 desktop macOS 10.15.7

    Updated

    Tue May 06 2025
    Found 68 results
    Loading...
    Firefox logo
    Firefox 138.0 desktop macOS 10.15

    Updated

    Tue May 06 2025
    Found 68 results
    Loading...
    Safari logo
    Safari 18.4 desktop macOS 10.15.7

    Updated

    Tue May 06 2025
    Found 68 results
    Loading...