Scheme slash alternatives in URL() when a base is used
⚠ Browser differences
48
48
32Characters that cause URL() to treat the provided url as a relative url when a base is used, and as an absolute url when no base is used. Based on the writeup: https://blog.vitorfalcao.com/posts/intigriti-0525-writeup/#checks-vs-usage-a-subtle-difference
Created by: N25sec
Created on: Thursday, May 22, 2025 at 9:03:44 AM
Updated on: Wednesday, May 28, 2025 at 5:06:18 PM
Category: URL Handling
Vector visibility: Public
Vector type: JS
Vector charset: UTF-8
Template used:
(new URL("https:" + String.fromCodePoint($[i]) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint($[i]) + "example.com").origin === new URL("https://example.com").origin) && log($[i] + " >> " + String.fromCodePoint($[i]))0x0D
0x0D
Detecting browser...
Sample payloads
(new URL("https:" + String.fromCodePoint(0) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint(0) + "example.com").origin === new URL("https://example.com").origin) && alert(0 + " >> " + String.fromCodePoint(0))0x0D
0x0D
Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated
Fri Jan 30 2026
Found 48 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated
Sun Jan 25 2026
Found 48 results
Loading...
Firefox 138.0 desktop macOS 10.15
Updated
Tue May 27 2025
Found 32 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated
Mon Jan 26 2026
Found 48 results
Loading...