Cheat sheets

Malformed HTML comments

- >

--><!-- [1]><script>log($[i])</script>

How do you use it?

[1]

--><!-->><script>log($[i])</script>

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed before the JavaScript protocol

SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI DLE DC1 DC2 DC3 DC4 NAK SYNC ETB CAN EM SUB ESC FS GS RS US SPACE

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between slashes using XSS type

SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI DLE DC1 DC2 DC3 DC4 NAK SYNC ETB CAN EM SUB ESC FS GS RS US SPACE / \

HT LF CR / \

HT LF CR / @ \ \xad \u034f \u180b \u180c \u180d \u180f \u200b \u2060 \u2064 \ufe00 \ufe01 \ufe02 \ufe03 \ufe04 \ufe05 \ufe06 \ufe07 \ufe08 \ufe09 \ufe0a \ufe0b \ufe0c \ufe0d \ufe0e \ufe0f \ufeff

How do you use it?

[1]

[2]

[3]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed after colon which result in an external URL

/ \

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters prepended to URL host. check if difference between URL and a tag

if (new URL("https://a.com/b").host=="a.com"){ var t=document.createElement("a"); t.href="https://a.com/b"; if (t.host != "a.com") { log($[i]); } } if (new URL("https://a.com/b").host=="a.com"){ var t=document.createElement("a"); t.href="https://a.com/b"; if (t.host != "a.com") { log($[i]); } }

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters appended at the end of TLD within URL, which yield in the same host property

HT / @ \ \xad \u034f \u180b \u180c \u180d \u180f \u200b \u2060 \u2064 \ufe00 \ufe01 \ufe02 \ufe03 \ufe04 \ufe05 \ufe06 \ufe07 \ufe08 \ufe09 \ufe0a \ufe0b \ufe0c \ufe0d \ufe0e \ufe0f \ufeff

HT # / ? \ \xad \u034f \u180b \u180c \u180d \u180f \u200b \u2060 \u2064 \ufe00 \ufe01 \ufe02 \ufe03 \ufe04 \ufe05 \ufe06 \ufe07 \ufe08 \ufe09 \ufe0a \ufe0b \ufe0c \ufe0d \ufe0e \ufe0f \ufeff

if (new URL("https:// [1]google.com [2]/endpoint").host=="google.com"){log($[i])}

How do you use it?

[1]

if (new URL("https://HTgoogle.com/endpoint").host=="google.com"){log($[i])}
if (new URL("https:///google.com/endpoint").host=="google.com"){log($[i])}
if (new URL("https://@google.com/endpoint").host=="google.com"){log($[i])}
if (new URL("https://\google.com/endpoint").host=="google.com"){log($[i])}
if (new URL("https://\xadgoogle.com/endpoint").host=="google.com"){log($[i])}

[2]

if (new URL("https://google.comHT/endpoint").host=="google.com"){log($[i])}
if (new URL("https://google.com#/endpoint").host=="google.com"){log($[i])}
if (new URL("https://google.com//endpoint").host=="google.com"){log($[i])}
if (new URL("https://google.com?/endpoint").host=="google.com"){log($[i])}
if (new URL("https://google.com\/endpoint").host=="google.com"){log($[i])}

Shazzer cheat sheet
Generated by shazzer.co.uk

Allowed characters right after tag name & before tag closure, no other characters in between

HT LF FF CR SPACE /

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters appended at the end of TLD within URL, which yield in the same Origin

HT # / ? \ \xad \u034f \u180b \u180c \u180d \u180f \u200b \u2060 \u2064 \ufe00 \ufe01 \ufe02 \ufe03 \ufe04 \ufe05 \ufe06 \ufe07 \ufe08 \ufe09 \ufe0a \ufe0b \ufe0c \ufe0d \ufe0e \ufe0f \ufeff \u{01bca0} \u{01bca1} \u{01bca2} \u{01bca3} \u{0e0100} \u{0e0101} \u{0e0102} \u{0e0103} \u{0e0104} \u{0e0105} \u{0e0106} \u{0e0107} \u{0e0108} \u{0e0109} \u{0e010a} \u{0e010b} \u{0e010c} \u{0e010d} \u{0e010e} \u{0e010f} \u{0e0110} \u{0e0111} \u{0e0112} \u{0e0113} \u{0e0114} \u{0e0115} \u{0e0116} \u{0e0117} \u{0e0118} \u{0e0119} \u{0e011a} \u{0e011b} \u{0e011c} \u{0e011d} \u{0e011e} \u{0e011f} \u{0e0120} \u{0e0121} \u{0e0122} \u{0e0123} \u{0e0124} \u{0e0125} \u{0e0126} \u{0e0127} \u{0e0128} \u{0e0129} \u{0e012a} \u{0e012b} \u{0e012c} \u{0e012d} \u{0e012e} \u{0e012f} \u{0e0130} \u{0e0131} \u{0e0132} \u{0e0133} \u{0e0134} \u{0e0135} \u{0e0136} \u{0e0137} \u{0e0138} \u{0e0139} \u{0e013a} \u{0e013b} \u{0e013c} \u{0e013d} \u{0e013e} \u{0e013f} \u{0e0140} \u{0e0141} \u{0e0142} \u{0e0143} \u{0e0144} \u{0e0145} \u{0e0146} \u{0e0147} \u{0e0148} \u{0e0149} \u{0e014a} \u{0e014b} \u{0e014c} \u{0e014d} \u{0e014e} \u{0e014f} \u{0e0150} \u{0e0151} \u{0e0152} \u{0e0153} \u{0e0154} \u{0e0155} \u{0e0156} \u{0e0157} \u{0e0158} \u{0e0159} \u{0e015a} \u{0e015b} \u{0e015c} \u{0e015d} \u{0e015e} \u{0e015f} \u{0e0160} \u{0e0161} \u{0e0162} \u{0e0163} \u{0e0164} \u{0e0165} \u{0e0166} \u{0e0167} \u{0e0168} \u{0e0169} \u{0e016a} \u{0e016b} \u{0e016c} \u{0e016d} \u{0e016e} \u{0e016f} \u{0e0170} \u{0e0171} \u{0e0172} \u{0e0173} \u{0e0174} \u{0e0175} \u{0e0176} \u{0e0177} \u{0e0178} \u{0e0179} \u{0e017a} \u{0e017b} \u{0e017c} \u{0e017d} \u{0e017e} \u{0e017f} \u{0e0180} \u{0e0181} \u{0e0182} \u{0e0183} \u{0e0184} \u{0e0185} \u{0e0186} \u{0e0187} \u{0e0188} \u{0e0189} \u{0e018a} \u{0e018b} \u{0e018c} \u{0e018d} \u{0e018e} \u{0e018f} \u{0e0190} \u{0e0191} \u{0e0192} \u{0e0193} \u{0e0194} \u{0e0195} \u{0e0196} \u{0e0197} \u{0e0198} \u{0e0199} \u{0e019a} \u{0e019b} \u{0e019c} \u{0e019d} \u{0e019e} \u{0e019f} \u{0e01a0} \u{0e01a1} \u{0e01a2} \u{0e01a3} \u{0e01a4} \u{0e01a5} \u{0e01a6} \u{0e01a7} \u{0e01a8} \u{0e01a9} \u{0e01aa} \u{0e01ab} \u{0e01ac} \u{0e01ad} \u{0e01ae} \u{0e01af} \u{0e01b0} \u{0e01b1} \u{0e01b2} \u{0e01b3} \u{0e01b4} \u{0e01b5} \u{0e01b6} \u{0e01b7} \u{0e01b8} \u{0e01b9} \u{0e01ba} \u{0e01bb} \u{0e01bc} \u{0e01bd} \u{0e01be} \u{0e01bf} \u{0e01c0} \u{0e01c1} \u{0e01c2} \u{0e01c3} \u{0e01c4} \u{0e01c5} \u{0e01c6} \u{0e01c7} \u{0e01c8} \u{0e01c9} \u{0e01ca} \u{0e01cb} \u{0e01cc} \u{0e01cd} \u{0e01ce} \u{0e01cf} \u{0e01d0} \u{0e01d1} \u{0e01d2} \u{0e01d3} \u{0e01d4} \u{0e01d5} \u{0e01d6} \u{0e01d7} \u{0e01d8} \u{0e01d9} \u{0e01da} \u{0e01db} \u{0e01dc} \u{0e01dd} \u{0e01de} \u{0e01df} \u{0e01e0} \u{0e01e1} \u{0e01e2} \u{0e01e3} \u{0e01e4} \u{0e01e5} \u{0e01e6} \u{0e01e7} \u{0e01e8} \u{0e01e9} \u{0e01ea} \u{0e01eb} \u{0e01ec} \u{0e01ed} \u{0e01ee} \u{0e01ef}

if (new URL("https://google.com [1]/endpoint").origin=="https://google.com"){log($[i])}

How do you use it?

[1]

if (new URL("https://google.comHT/endpoint").origin=="https://google.com"){log($[i])}
if (new URL("https://google.com#/endpoint").origin=="https://google.com"){log($[i])}
if (new URL("https://google.com//endpoint").origin=="https://google.com"){log($[i])}
if (new URL("https://google.com?/endpoint").origin=="https://google.com"){log($[i])}
if (new URL("https://google.com\/endpoint").origin=="https://google.com"){log($[i])}

Shazzer cheat sheet
Generated by shazzer.co.uk

Bytes that will scramble ISO-2022-JP

@ B

<a id="$[bytes:1b24] [1]"></a>$[bytes:1b2842]<a id="><img src=x onerror=log($[i])></a>

How do you use it?

[1]

<a id="$[bytes:1b24]@"></a>$[bytes:1b2842]<a id="><img src=x onerror=log($[i])></a>
<a id="$[bytes:1b24]B"></a>$[bytes:1b2842]<a id="><img src=x onerror=log($[i])></a>

Shazzer cheat sheet
Generated by shazzer.co.uk

Bytes that will normalize ISO-2022-JP

B J

<a id="$[bytes:1b2442]"></a>$[bytes:1b28] [1]<a id="><img src=x onerror=log($[i])></a>

How do you use it?

[1]

<a id="$[bytes:1b2442]"></a>$[bytes:1b28]B<a id="><img src=x onerror=log($[i])></a>
<a id="$[bytes:1b2442]"></a>$[bytes:1b28]J<a id="><img src=x onerror=log($[i])></a>

Shazzer cheat sheet
Generated by shazzer.co.uk

Character allowed after onerror event

HT LF FF CR SPACE

HT LF VT FF CR SPACE ! + - ; ~ \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

How do you use it?

[1]

[2]

Shazzer cheat sheet
Generated by shazzer.co.uk

ISO-2022-JP ASCII escape sequence

< B

<$[bytes:1b28] [1]img src onerror=log($[i])>

How do you use it?

[1]

<$[bytes:1b28]<img src onerror=log($[i])>
<$[bytes:1b28]Bimg src onerror=log($[i])>

Shazzer cheat sheet
Generated by shazzer.co.uk

Find WAF bypass for eval context

try { v = "javascript:(1)"; if (eval(v)) { console.log(v); log('$[i]') } } catch(e) { v = '' }

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Non-standard characters that break JSON.parse()

NUL SOH STX ETX EOT ENQ ACK BEL BS VT FF SO SI DLE DC1 DC2 DC3 DC4 NAK SYNC ETB CAN EM SUB ESC FS GS RS US

try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":" [1]"}`); } } catch { log($[i]); }

How do you use it?

[1]

try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"NUL"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"SOH"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"STX"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"ETX"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"EOT"}`); } } catch { log($[i]); }

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can be between < and script>

< [1]script><notfound></script>

How do you use it?

[1]

<<script><notfound></script>

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that cause the backslash to be consumed with a big5 charset

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can precede the javascript protocol

SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI DLE DC1 DC2 DC3 DC4 NAK SYNC ETB CAN EM SUB ESC FS GS RS US SPACE

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that close or encapsulate HTML attribute values

HT LF FF CR SPACE " '

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

< removal bypass

<p> [1]found></p>

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters in-between square brackets that close cdata

]

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Includes Validation Chars Allowed

if (['https:'].includes(" [1]https:")){ log($[i]) }

How do you use it?

[1]

if (['https:'].includes("\https:")){ log($[i]) }

Shazzer cheat sheet
Generated by shazzer.co.uk

work

How do you use it?

[1]

<img src=>{"[alert]"}<found>

Shazzer cheat sheet
Generated by shazzer.co.uk

HTML vector

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Chars allowed before domain

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed in colon entity

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between multiple HTML attributes

HT LF FF CR SPACE

How do you use it?

[1]

<imgHTsrc=xonerror=log($[i])>
<imgLFsrc=xonerror=log($[i])>
<imgFFsrc=xonerror=log($[i])>
<imgCRsrc=xonerror=log($[i])>
<imgSPACEsrc=xonerror=log($[i])>

Shazzer cheat sheet
Generated by shazzer.co.uk

Bypass proto string match defense

s = "$[i]"; if (typeof s["__proto__"] != "undefined") { log(fromCodePoint($[i])); }

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed in path traversal

HT # / ? \

new URL("https://x.se/long/.. [1]/a").pathname.length > 4 ? false : log($[i])

How do you use it?

[1]

new URL("https://x.se/long/..HT/a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..//a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed before event in attribute name using setAttribute

let img = document.createElement('img'); img.src = 'data:'; img.setAttribute(' [1]onerror','log($[i])') document.body.append(img);

How do you use it?

[1]

let img = document.createElement('img'); img.src = 'data:'; img.setAttribute('\onerror','log($[i])') document.body.append(img);

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can work as attribute seperator

HT LF FF CR SPACE /

var markup = `<a [1]id=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }

How do you use it?

[1]

var markup = `<aHTid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aLFid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aFFid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aCRid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aSPACEid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can start an HTML comment

! / ?

< [1] <a/b="--><found>"

How do you use it?

[1]

<! <a/b="--><found>"
</ <a/b="--><found>"
<? <a/b="--><found>"

Shazzer cheat sheet
Generated by shazzer.co.uk

Fuzzing weird script behaviour after script text

/ HT CR FF LF SPACE >

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed to end a JS string

var myVar = "foo [1] log($[i]) // a";

How do you use it?

[1]

var myVar = "foo" log($[i]) // a";

Shazzer cheat sheet
Generated by shazzer.co.uk

JavaScript Scheme starting with http

log(new URL("httpjavascript:alert()").protocol)

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed before CSS selectors

HT LF FF CR SPACE

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Host

if (new URL('https://www.example.com/evil.com').host=='evil.com') { log('"https://www.example.com/evil.com" -> "evil.com"') } if (new URL('https://www.example.comevil.com').host=='evil.com') { log('"https://www.example.comevil.com" -> "evil.com"') }

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

ToUpperCase Improper Character Morphing

var targets=['"','\'','<','/','>','\\'] if (targets.includes(''.toUpperCase())) { log($[i]+' (normal) ( -> '+"".toUpperCase()+')') } if (targets.includes(''.toLocaleUpperCase())) { log($[i]+' (locale) ( -> '+"".toLocaleUpperCase()+')') }

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can break out of an inline style background-image url

<div id="test" style="background-image: url(;width:100%">hello</div>

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can break out of an inline style with single quotes

<div id="test" style='onload="alert(1)">hello</div>

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can break out of an inline style with double quotes

<div id="test" style="onload="alert(1)">hello</div>

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

HTML-Encoded Attribute Escape

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Quotes

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed after malformed entities

HT LF VT FF CR SPACE ! & + - ; ~ \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed to break double quotes

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

JavaScript Scheme starting with https://

if (new URL("https://javascript:alert()").protocol=="javascript:"){log($[i])}

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed after greater than in events

\ufeff \u2028 > ~ \u3000 \u2003 \u2000 \u2004 \u2006 ! \u2029 - \xa0 \u2005 \u2008 + \u200a SPACE \u1680 \u2002 \u2007 \u2009 LF \u205f ; \u202f HT FF VT CR \u2001

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that act as new lines in multi line strings

LF CR \u2028 \u2029

"x\ [1]"==="x" && log($[i])

How do you use it?

[1]

"x\LF"==="x" && log($[i])
"x\CR"==="x" && log($[i])
"x\\u2028"==="x" && log($[i])
"x\\u2029"==="x" && log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

characters allowed between exclamation mark and greater then

<!----! [1]><found>

How do you use it?

[1]

<!----!>><found>

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters ignored after backslash with multiline string

({"x\ [1] ":1337}.x)==1337&&log($[i])

How do you use it?

[1]

({"x\CR ":1337}.x)==1337&&log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters ignored in strings when doing a non strict comparison

HT VT FF SPACE + 0 \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

" [1]1337"==1337&&log($[i])

How do you use it?

[1]

"HT1337"==1337&&log($[i])
"VT1337"==1337&&log($[i])
"FF1337"==1337&&log($[i])
"SPACE1337"==1337&&log($[i])
"+1337"==1337&&log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that act as attribute quotes

" '

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters ignored in an attribute name

HT LF FF CR SPACE / >

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can be used in eval to write code in between

HT VT FF SPACE ; \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

eval(' [1]log($[i])')

How do you use it?

[1]

eval('HTlog($[i])')
eval('VTlog($[i])')
eval('FFlog($[i])')
eval('SPACElog($[i])')
eval(';log($[i])')

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters to break out from eval string

eval('" [1]');log($[i]);

How do you use it?

[1]

eval('""');log($[i]);

Shazzer cheat sheet
Generated by shazzer.co.uk

Valid characters between function and dot-parenthesis .()

prompt [1].();log($[i])

How do you use it?

[1]

prompt?.();log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Valid characters between function and parenthesis

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

alert [1]();log($[i])

How do you use it?

[1]

alertHT();log($[i])
alertLF();log($[i])
alertVT();log($[i])
alertFF();log($[i])
alertCR();log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between < and element

<h1>sample</h1>

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Attribute separators

<imgonerror=alert() src=x />

How do you use it?

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed before optional chaining

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

log [1]?. [2]($[i])

How do you use it?

[1]

logHT?. ($[i])
logLF?. ($[i])
logVT?. ($[i])
logFF?. ($[i])
logCR?. ($[i])

[2]

log ?.HT($[i])
log ?.LF($[i])
log ?.VT($[i])
log ?.FF($[i])
log ?.CR($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed after the void operator

HT LF VT FF CR SPACE ! + - ~ \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

void [1]log($[i])

How do you use it?

[1]

voidHTlog($[i])
voidLFlog($[i])
voidVTlog($[i])
voidFFlog($[i])
voidCRlog($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can be used as valid labels in JavaScript

$ _ \xaa \xb5 \xba \u02ec \u02ee \u037f \u0386 \u038c \u0559 \u06d5 \u06ff \u0710 \u07b1 \u07fa \u081a \u0824 \u0828 \u093d \u0950 \u09b2 \u09bd \u09ce \u09fc \u0a5e \u0abd \u0ad0 \u0af9 \u0b3d \u0b71 \u0b83 \u0b9c \u0bd0 \u0c3d \u0c5d \u0c80 \u0cbd \u0d3d \u0d4e \u0dbd \u0e84 \u0ea5 \u0ebd \u0ec6 \u0f00 \u103f \u1061 \u108e \u10c7 \u10cd \u1258 \u12c0 \u17d7 \u17dc \u18aa \u1aa7 \u1cfa \u1f59 \u1f5b \u1f5d \u1fbe \u2071 \u207f \u2102 \u2107 \u2115 \u2124 \u2126 \u2128 \u214e \u2d27 \u2d2d \u2d6f \ua7d3 \ua8fb \ua9cf \uaa7a \uaab1 \uaac0 \uaac2 \ufb1d \ufb3e \u{010808} \u{01083c} \u{010a00} \u{010f27} \u{011075} \u{011144} \u{011147} \u{011176} \u{0111da} \u{0111dc} \u{011288} \u{01133d} \u{011350} \u{0114c7} \u{011644} \u{0116b8} \u{011909} \u{01193f} \u{011941} \u{0119e1} \u{0119e3} \u{011a00} \u{011a3a} \u{011a50} \u{011a9d} \u{011c40} \u{011d46} \u{011d98} \u{011f02} \u{011fb0} \u{016f50} \u{016fe3} \u{01b132} \u{01b155} \u{01d4a2} \u{01d4bb} \u{01d546} \u{01e14e} \u{01e94b} \u{01ee24} \u{01ee27} \u{01ee39} \u{01ee3b} \u{01ee42} \u{01ee47} \u{01ee49} \u{01ee4b} \u{01ee54} \u{01ee57} \u{01ee59} \u{01ee5b} \u{01ee5d} \u{01ee5f} \u{01ee64} \u{01ee7e}

[1]:log($[i])

How do you use it?

[1]

$:log($[i])
_:log($[i])
\xaa:log($[i])
\xb5:log($[i])
\xba:log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that are valid JS variables

var [1]=log($[i])

How do you use it?

[1]

var $=log($[i])
var _=log($[i])
var \xaa=log($[i])
var \xb5=log($[i])
var \xba=log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed instead of equal sign

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters between < and element name

HT LF FF CR SPACE / >

< [1]found [2]>

How do you use it?

[1]

<<found >

[2]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between an object and bracket notation

HT LF VT FF CR SPACE % & * + , - / : ; < = > ^ | \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

document [1]['location'];log($[i])

How do you use it?

[1]

documentHT['location'];log($[i])
documentLF['location'];log($[i])
documentVT['location'];log($[i])
documentFF['location'];log($[i])
documentCR['location'];log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between an object and the dot operator

HT LF VT FF CR SPACE ? \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

window [1].alert();log($[i])

How do you use it?

[1]

windowHT.alert();log($[i])
windowLF.alert();log($[i])
windowVT.alert();log($[i])
windowFF.alert();log($[i])
windowCR.alert();log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can be inserted in the middle of the JS protocol name

HT LF CR

<a id="0" href="j [1]avascript:window">craft-me</a>

How do you use it?

[1]

<a id="0" href="jHTavascript:window">craft-me</a>
<a id="0" href="jLFavascript:window">craft-me</a>
<a id="0" href="jCRavascript:window">craft-me</a>

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed in-between operators

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

"1337" [1]inlog($[i])

How do you use it?

[1]

"1337"HTinlog($[i])
"1337"LFinlog($[i])
"1337"VTinlog($[i])
"1337"FFinlog($[i])
"1337"CRinlog($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed in-between hyphens

<!- [1]- ><xmp>--><img src/onerror=log($[i])>-->

How do you use it?

[1]

<img src/onerror=log($[i])>-->

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed as a class separator

HT LF FF CR SPACE

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that act like new line or single line comment

LF CR & * / ; < = > ? | \u2028 \u2029

log($[i]) [1]sdfasdfasfasfd

How do you use it?

[1]

log($[i])LFsdfasdfasfasfd
log($[i])CRsdfasdfasfasfd
log($[i])&sdfasdfasfasfd
log($[i])*sdfasdfasfasfd
log($[i])/sdfasdfasfasfd

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that act as quotes or whitespace

HT LF FF CR SPACE " ' ;

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between HTML attributes

HT LF FF CR SPACE /

How do you use it?

[1]

<imgHTsrconerror=log($[i])>
<imgLFsrconerror=log($[i])>
<imgFFsrconerror=log($[i])>
<imgCRsrconerror=log($[i])>
<imgSPACEsrconerror=log($[i])>

Shazzer cheat sheet
Generated by shazzer.co.uk

Valid characters before domain 1

HT LF CR / @ \ \xad \u034f \u180b \u180c \u180d \u180f \u200b \u2060 \u2064 \ufe00 \ufe01 \ufe02 \ufe03 \ufe04 \ufe05 \ufe06 \ufe07 \ufe08 \ufe09 \ufe0a \ufe0b \ufe0c \ufe0d \ufe0e \ufe0f \ufeff

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that can break out of a single line comment

LF CR \u2028 \u2029

// [1]log($[i])

How do you use it?

[1]

// LFlog($[i])
// CRlog($[i])
// \u2028log($[i])
// \u2029log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed javascript and colon

HT : \

if (new URL("javascript [1]:alert()").protocol=="javascript:"){log($[i])}

How do you use it?

[1]

if (new URL("javascriptHT:alert()").protocol=="javascript:"){log($[i])}
if (new URL("javascript::alert()").protocol=="javascript:"){log($[i])}
if (new URL("javascript\:alert()").protocol=="javascript:"){log($[i])}

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between variable name and equals sign

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

const x [1]="x" if(x==="x"){log($[i])}

How do you use it?

[1]

const xHT="x" if(x==="x"){log($[i])}
const xLF="x" if(x==="x"){log($[i])}
const xVT="x" if(x==="x"){log($[i])}
const xFF="x" if(x==="x"){log($[i])}
const xCR="x" if(x==="x"){log($[i])}

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between slashes

HT / \

anchor.href='/ [1]/example.com'; if(anchor.host === 'example.com')log($[i])

How do you use it?

[1]

anchor.href='/HT/example.com'; if(anchor.host === 'example.com')log($[i])
anchor.href='///example.com'; if(anchor.host === 'example.com')log($[i])
anchor.href='/\/example.com'; if(anchor.host === 'example.com')log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Break out of CSS strings

LF FF CR '

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

characters after slash that make a http protocol

/ \

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters after strings

LF CR % & * + , - / ; < > ^ | \u2028 \u2029

"" [1]log($[i])

How do you use it?

[1]

""LFlog($[i])
""CRlog($[i])
""%log($[i])
""&log($[i])
""*log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed between in operator

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

1337 [1]inlog($[i])

How do you use it?

[1]

1337HTinlog($[i])
1337LFinlog($[i])
1337VTinlog($[i])
1337FFinlog($[i])
1337CRinlog($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters that separate CSS properties

;

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Character that closes HTML tag

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

JavaScript separators between function names

LF CR % & * + , - / ; < > ^ | \u2028 \u2029

console.log() [1]log($[i])

How do you use it?

[1]

console.log()LFlog($[i])
console.log()CRlog($[i])
console.log()%log($[i])
console.log()&log($[i])
console.log()*log($[i])

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed before parentheses

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

HT LF VT FF CR SPACE ; \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

log [1]($[i]) [2]

How do you use it?

[1]

logHT($[i])
logLF($[i])
logVT($[i])
logFF($[i])
logCR($[i])

[2]

log ($[i])HT
log ($[i])LF
log ($[i])VT
log ($[i])FF
log ($[i])CR

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed after * in CSS comments

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

Characters allowed before onerror events

HT LF FF CR SPACE /

How do you use it?

[1]

Shazzer cheat sheet
Generated by shazzer.co.uk

HTML comment before greater than

! - >

<!---- [1]><found>

How do you use it?

[1]

<found>
><found>

Shazzer cheat sheet
Generated by shazzer.co.uk

Cheat sheets

Malformed HTML comments

How do you use it?

Characters allowed before the JavaScript protocol

How do you use it?

Characters allowed between slashes using XSS type

How do you use it?

Characters allowed after colon which result in an external URL

How do you use it?

Characters prepended to URL host. check if difference between URL and a tag

How do you use it?

Characters appended at the end of TLD within URL, which yield in the same host property

How do you use it?

Allowed characters right after tag name & before tag closure, no other characters in between

How do you use it?

Characters appended at the end of TLD within URL, which yield in the same Origin

How do you use it?

Bytes that will scramble ISO-2022-JP

How do you use it?

Bytes that will normalize ISO-2022-JP

How do you use it?

Character allowed after onerror event

How do you use it?

ISO-2022-JP ASCII escape sequence

How do you use it?

Find WAF bypass for eval context

How do you use it?

Non-standard characters that break JSON.parse()

How do you use it?

Characters that can be between < and script>

How do you use it?

Characters that cause the backslash to be consumed with a big5 charset

How do you use it?

Characters that can precede the javascript protocol

How do you use it?

Characters that close or encapsulate HTML attribute values

How do you use it?

< removal bypass

How do you use it?

Characters in-between square brackets that close cdata

How do you use it?

Includes Validation Chars Allowed

How do you use it?

work

How do you use it?

HTML vector

How do you use it?

Chars allowed before domain

How do you use it?

Characters allowed in colon entity

How do you use it?

Characters allowed between multiple HTML attributes

How do you use it?

Bypass __proto__ string match defense

How do you use it?

Characters allowed in path traversal

How do you use it?

Characters allowed before event in attribute name using setAttribute

How do you use it?

Characters that can work as attribute seperator

How do you use it?

Characters that can start an HTML comment

How do you use it?

Fuzzing weird script behaviour after script text

How do you use it?

Characters allowed to end a JS string

How do you use it?

JavaScript Scheme starting with http

How do you use it?

Characters allowed before CSS selectors

How do you use it?

Host

How do you use it?

ToUpperCase Improper Character Morphing

How do you use it?

Characters that can break out of an inline style background-image url

How do you use it?

Characters that can break out of an inline style with single quotes

How do you use it?

Characters that can break out of an inline style with double quotes

Bypass proto string match defense