Shazzer logo
Login

Characters after https URI scheme which prevent URL parsing of href

⚠ Browser differences
Chrome logo 12.7k
Firefox logo 12.7k
Edge logo 12.7k
Safari logo 12.7k

These characters make the URI scheme parsing break and return plaintext instead of the parsed URL.

Cillian-Collins
Created byCillian-Collins
Created Oct 27, 2025
Updated Oct 27, 2025

Tweet
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<a id="user_id" href="https:$[chr]blah/../../"></a>
Code used after fuzz:
var user_id = document.getElementById("user_id");0x0D
var url = user_id.toString();0x0D
0x0D
if(url.indexOf("../") != -1) log($[i]);

Sample payloads

<a id="user_id" href="https:#blah/../../"></a>
<a id="user_id" href="https:%blah/../../"></a>
<a id="user_id" href="https:*blah/../../"></a>
<a id="user_id" href="https::blah/../../"></a>
<a id="user_id" href="https:<blah/../../"></a>
<a id="user_id" href="https:[blah/../../"></a>
<a id="user_id" href="https:|blah/../../"></a>
<a id="user_id" href="https:¨blah/../../"></a>
<a id="user_id" href="https:¯blah/../../"></a>
<a id="user_id" href="https:´blah/../../"></a>
<a id="user_id" href="https:¸blah/../../"></a>
<a id="user_id" href="https:΋blah/../../"></a>
<a id="user_id" href="https:΍blah/../../"></a>
<a id="user_id" href="https:΢blah/../../"></a>
<a id="user_id" href="https:԰blah/../../"></a>
<a id="user_id" href="https:؈blah/../../"></a>
<a id="user_id" href="https:؋blah/../../"></a>
<a id="user_id" href="https:؍blah/../../"></a>
<a id="user_id" href="https:঩blah/../../"></a>

Fuzz results

Chrome logo
Chrome 145.0.0.0 desktop macOS 10.15.7
Updated8 Feb 2026
Found 12711 results
Loading...
Chrome logo
Chrome 144.0.0.0 desktop Windows NT 10.0older version
Updated8 Feb 2026
Found 12711 results
Loading...
Chrome logo
Chrome 142.0.0.0 desktop Linux Unknownolder version
Updated8 Nov 2025
Found 12785 results
Loading...
Firefox logo
Firefox 148.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 12783 results
Loading...
Firefox logo
Firefox 147.0 desktop Linuxolder version
Updated2 Feb 2026
Found 12783 results
Loading...
Firefox logo
Firefox 147.0 desktop macOS 10.15older version
Updated30 Jan 2026
Found 12783 results
Loading...
Firefox logo
Firefox 137.0 desktop Linux Unknownolder version
Updated8 Jan 2026
Found 12857 results
Loading...
Edge logo
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 12711 results
Loading...
Safari logo
Safari 26.2 desktop macOS 10.15.7
Updated31 Jan 2026
Found 12779 results
Loading...
Safari logo
Safari 18.5 mobile iOS 18.5older version
Updated27 Oct 2025
Found 12779 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.