Shazzer logo
Login

Characters after https URI scheme which prevent URL parsing of href

⚠ Browser differences
Chrome logo 12.7k
Firefox logo 12.7k
Edge logo 12.7k
Safari logo 12.7k

These characters make the URI scheme parsing break and return plaintext instead of the parsed URL.

Cillian-Collins
Created byCillian-Collins
Created Oct 27, 2025
Updated Oct 27, 2025

Tweet
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<a id="user_id" href="https:$[chr]blah/../../"></a>
Code used after fuzz:
var user_id = document.getElementById("user_id");0x0D
var url = user_id.toString();0x0D
0x0D
if(url.indexOf("../") != -1) log($[i]);

Sample payloads

<a id="user_id" href="https:#blah/../../"></a>
<a id="user_id" href="https:%blah/../../"></a>
<a id="user_id" href="https:*blah/../../"></a>
<a id="user_id" href="https::blah/../../"></a>
<a id="user_id" href="https:<blah/../../"></a>
<a id="user_id" href="https:[blah/../../"></a>
<a id="user_id" href="https:|blah/../../"></a>
<a id="user_id" href="https:¨blah/../../"></a>
<a id="user_id" href="https:¯blah/../../"></a>
<a id="user_id" href="https:´blah/../../"></a>
<a id="user_id" href="https:¸blah/../../"></a>
<a id="user_id" href="https:΋blah/../../"></a>
<a id="user_id" href="https:΍blah/../../"></a>
<a id="user_id" href="https:΢blah/../../"></a>
<a id="user_id" href="https:԰blah/../../"></a>
<a id="user_id" href="https:؈blah/../../"></a>
<a id="user_id" href="https:؋blah/../../"></a>
<a id="user_id" href="https:؍blah/../../"></a>
<a id="user_id" href="https:঩blah/../../"></a>

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop macOS 10.15.7
Updated24 Jan 2026
Found 12711 results
Loading...
Chrome logo
Chrome 142.0.0.0 desktop Linux Unknownolder version
Updated8 Nov 2025
Found 12785 results
Loading...
Chrome logo
Chrome 142.0.0.0 desktop Windows NT 10.0older version
Updated10 Nov 2025
Found 12785 results
Loading...
Firefox logo
Firefox 147.0 desktop Linux
Updated2 Feb 2026
Found 12783 results
Loading...
Firefox logo
Firefox 147.0 desktop macOS 10.15
Updated30 Jan 2026
Found 12783 results
Loading...
Firefox logo
Firefox 137.0 desktop Linux Unknownolder version
Updated8 Jan 2026
Found 12857 results
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated26 Jan 2026
Found 12711 results
Loading...
Safari logo
Safari 26.2 desktop macOS 10.15.7
Updated31 Jan 2026
Found 12779 results
Loading...
Safari logo
Safari 18.5 mobile iOS 18.5older version
Updated27 Oct 2025
Found 12779 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.