Shazzer logo
Login

Characters allowed begin from a forward slash character in javascript protocol

Chrome logo 1
Firefox logo 1
Edge logo 1
Safari logo 1

Fuzz if window.location.href = `/${user_input}`; can redirect to javascript pseudo protocol.

siunam321
Created bysiunam321
Created Oct 28, 2025
Updated Oct 28, 2025

Tweet
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
const url = new URL(`/${String.fromCodePoint($[i])}javascript:alert(origin)`);0x0D
if (url.protocol === 'javascript:') {0x0D
    log($[i]);0x0D
}

Sample payloads

const url = new URL(`/${String.fromCodePoint(0)}javascript:alert(origin)`);0x0D
if (url.protocol === 'javascript:') {0x0D
    alert(0);0x0D
}

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop macOS 10.15.7

Updated

Fri Jan 23 2026
Found 1 result
Loading...
Firefox logo
Firefox 148.0 desktop macOS 10.15

Updated

Mon Feb 02 2026
Found 1 result
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Mon Jan 26 2026
Found 1 result
Loading...
Safari logo
Safari 26.2 desktop macOS 10.15.7

Updated

Thu Jan 29 2026
Found 1 result
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.