Injection in src attribute PORT, characters that change hostname
1
1
1
1Injection in src attribute PORT, characters that change hostname
Created byreindaelman
Created Jun 15, 2025
Updated Jun 15, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
try{0x0D
img = document.createElement("img");0x0D
img.src=`https://example.com:1$[chr]1`;0x0D
url = new URL(img.src);0x0D
if(url.hostname != "example.com"){0x0D
log($[i]);0x0D
}0x0D
} catch{}Sample payloads
try{0x0D
img = document.createElement("img");0x0D
img.src=`https://example.com:1@1`;0x0D
url = new URL(img.src);0x0D
if(url.hostname != "example.com"){0x0D
alert(64);0x0D
}0x0D
} catch{}Fuzz results
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 1 result
Loading...
Chrome 144.0.0.0 desktop macOS 10.15.7older version
Updated25 Jan 2026
Found 1 result
Loading...
Chrome 130.0.0.0 desktop Linux Unknownolder version
Updated20 Jul 2025
Found 1 result
Loading...
Firefox 148.0 desktop Windows NT 10.0
Updated23 Feb 2026
Found 1 result
Loading...
Firefox 147.0 desktop Linuxolder version
Updated23 Feb 2026
Found 1 result
Loading...
Firefox 139.0 desktop macOS 10.15older version
Updated15 Jun 2025
Found 1 result
Loading...
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 1 result
Loading...
Safari 18.5 desktop macOS 10.15.7
Updated15 Jun 2025
Found 1 result
Loading...