Scheme slash alternatives in URL() when a base is used
48
48
48Characters that cause URL() to treat the provided url as a relative url when a base is used, and as an absolute url when no base is used. Based on the writeup: https://blog.vitorfalcao.com/posts/intigriti-0525-writeup/#checks-vs-usage-a-subtle-difference
Created byN25sec
Created May 22, 2025
Updated May 28, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
(new URL("https:" + String.fromCodePoint($[i]) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint($[i]) + "example.com").origin === new URL("https://example.com").origin) && log($[i] + " >> " + String.fromCodePoint($[i]))0x0D
0x0D
Sample payloads
(new URL("https:" + String.fromCodePoint(0) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint(0) + "example.com").origin === new URL("https://example.com").origin) && alert(0 + " >> " + String.fromCodePoint(0))0x0D
0x0D
Fuzz results
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 48 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated25 Jan 2026
Found 48 results
Loading...
Firefox 148.0 desktop Windows NT 10.0
Updated23 Feb 2026
Found 48 results
Loading...
Firefox 138.0 desktop macOS 10.15older version
Updated27 May 2025
Found 32 results
Loading...
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 48 results
Loading...