Injection in src attribute PORT, characters that change hostname

Novice Fuzzer

Created byreindaelman

Created Jun 15, 2025

Updated Jun 15, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

try{0x0D
img = document.createElement("img");0x0D
img.src=`https://example.com:1$[chr]1`;0x0D
url = new URL(img.src);0x0D
if(url.hostname != "example.com"){0x0D
  log($[i]);0x0D
}0x0D
} catch{}

Sample payloads

try{0x0D
img = document.createElement("img");0x0D
img.src=`https://example.com:1@1`;0x0D
url = new URL(img.src);0x0D
if(url.hostname != "example.com"){0x0D
  alert(64);0x0D
}0x0D
} catch{}

Distributed Fuzzing

Injection in src attribute PORT, characters that change hostname

Sample payloads

Fuzz results