Scheme slash alternatives in URL() when a base is used

⚠ Browser differences

Characters that cause URL() to treat the provided url as a relative url when a base is used, and as an absolute url when no base is used. Based on the writeup: https://blog.vitorfalcao.com/posts/intigriti-0525-writeup/#checks-vs-usage-a-subtle-difference

Novice Fuzzer

Created byN25sec

Created May 22, 2025

Updated May 28, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

(new URL("https:" + String.fromCodePoint($[i]) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint($[i]) + "example.com").origin === new URL("https://example.com").origin) && log($[i] + " >> " + String.fromCodePoint($[i]))0x0D
0x0D

Sample payloads

(new URL("https:" + String.fromCodePoint(0) + "example.com","https://shazzer.co.uk").origin === new URL("https://shazzer.co.uk").origin) && (new URL("https:" + String.fromCodePoint(0) + "example.com").origin === new URL("https://example.com").origin) && alert(0 + " >> " + String.fromCodePoint(0))0x0D
0x0D

Distributed Fuzzing

Scheme slash alternatives in URL() when a base is used

Sample payloads

Fuzz results