masato - braves parsing finding valid characters

Trying to see what characters are allowed

Bug Hunter

Created byInsertScript

Created Aug 3, 2025

Updated Aug 3, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<div id="x$[i]"><span x="href=$[chr]&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x$[i]"].innerHTML=window["x$[i]"].innerHTML;0x0D
if (window["x$[i]"].firstChild.getAttribute("href") != null)0x0D
{0x0D
log($[i])0x0D
}0x0D
</script>

Sample payloads

<div id="x9"><span x="href=0x09&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x9"].innerHTML=window["x9"].innerHTML;0x0D
if (window["x9"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(9)0x0D
}0x0D
</script>

<div id="x10"><span x="href=
&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x10"].innerHTML=window["x10"].innerHTML;0x0D
if (window["x10"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(10)0x0D
}0x0D
</script>

<div id="x12"><span x="href=0x0C&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x12"].innerHTML=window["x12"].innerHTML;0x0D
if (window["x12"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(12)0x0D
}0x0D
</script>

<div id="x13"><span x="href=0x0D&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x13"].innerHTML=window["x13"].innerHTML;0x0D
if (window["x13"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(13)0x0D
}0x0D
</script>

<div id="x32"><span x="href= &gt;&bbb"></span></div>0x0D
<script>0x0D
window["x32"].innerHTML=window["x32"].innerHTML;0x0D
if (window["x32"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(32)0x0D
}0x0D
</script>

<div id="x45"><span x="href=-&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x45"].innerHTML=window["x45"].innerHTML;0x0D
if (window["x45"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(45)0x0D
}0x0D
</script>

<div id="x48"><span x="href=0&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x48"].innerHTML=window["x48"].innerHTML;0x0D
if (window["x48"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(48)0x0D
}0x0D
</script>

<div id="x49"><span x="href=1&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x49"].innerHTML=window["x49"].innerHTML;0x0D
if (window["x49"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(49)0x0D
}0x0D
</script>

<div id="x50"><span x="href=2&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x50"].innerHTML=window["x50"].innerHTML;0x0D
if (window["x50"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(50)0x0D
}0x0D
</script>

<div id="x51"><span x="href=3&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x51"].innerHTML=window["x51"].innerHTML;0x0D
if (window["x51"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(51)0x0D
}0x0D
</script>

<div id="x52"><span x="href=4&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x52"].innerHTML=window["x52"].innerHTML;0x0D
if (window["x52"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(52)0x0D
}0x0D
</script>

<div id="x53"><span x="href=5&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x53"].innerHTML=window["x53"].innerHTML;0x0D
if (window["x53"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(53)0x0D
}0x0D
</script>

<div id="x54"><span x="href=6&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x54"].innerHTML=window["x54"].innerHTML;0x0D
if (window["x54"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(54)0x0D
}0x0D
</script>

<div id="x55"><span x="href=7&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x55"].innerHTML=window["x55"].innerHTML;0x0D
if (window["x55"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(55)0x0D
}0x0D
</script>

<div id="x56"><span x="href=8&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x56"].innerHTML=window["x56"].innerHTML;0x0D
if (window["x56"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(56)0x0D
}0x0D
</script>

<div id="x57"><span x="href=9&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x57"].innerHTML=window["x57"].innerHTML;0x0D
if (window["x57"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(57)0x0D
}0x0D
</script>

<div id="x62"><span x="href=>&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x62"].innerHTML=window["x62"].innerHTML;0x0D
if (window["x62"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(62)0x0D
}0x0D
</script>

<div id="x65"><span x="href=A&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x65"].innerHTML=window["x65"].innerHTML;0x0D
if (window["x65"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(65)0x0D
}0x0D
</script>

<div id="x66"><span x="href=B&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x66"].innerHTML=window["x66"].innerHTML;0x0D
if (window["x66"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(66)0x0D
}0x0D
</script>

<div id="x67"><span x="href=C&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x67"].innerHTML=window["x67"].innerHTML;0x0D
if (window["x67"].firstChild.getAttribute("href") != null)0x0D
{0x0D
alert(67)0x0D
}0x0D
</script>

Distributed Fuzzing

masato - braves parsing finding valid characters

Sample payloads

Fuzz results