Shazzer’s New Toast Dialog: A Game-Changer for XSS Fuzzing and Browser Quirks Discovery + Video

Listen to this Post

Featured Image

Introduction

Cross-Site Scripting (XSS) remains one of the most pervasive and dangerous vulnerabilities in web applications, with researchers constantly seeking new ways to discover browser quirks and bypass filters. Gareth Heyes, a renowned PortSwigger researcher known for shattering the AngularJS sandbox and creating elegant XSS vectors, has just released a significant update to Shazzer—his collaborative fuzzing platform. The improved toast dialog now displays character codes alongside visual previews, showing hex values for non-printable characters when users press “Test Fuzz” or “Fuzz”. This seemingly small UI enhancement represents a major leap forward in how security researchers can visualize, understand, and exploit character-level behaviors across different browsers.

Learning Objectives

  • Understand how Shazzer’s enhanced toast dialog accelerates XSS vector discovery through real-time character code visualization
  • Master the use of character encoding (decimal, hex, and Unicode) in crafting filter-bypassing payloads
  • Learn to leverage collaborative fuzzing techniques to uncover browser-specific parsing quirks and WAF bypasses
  1. Understanding Shazzer’s Toast Dialog and Character Code Visualization

Shazzer is a shared online fuzzer that allows security researchers to perform client-based fuzzing and share results globally. The platform tests vectors across three primary modes: HTML parsing, JavaScript execution, and general browser behavior analysis. The newly improved toast dialog enhances this process by providing immediate, visual feedback on character codes when initiating fuzz tests.

When you press “Test Fuzz” or “Fuzz” in Shazzer, the toast dialog now displays:
– The decimal character code of each character in the payload
– A visual preview of the character itself
– Hexadecimal representation for non-printable characters

This feature is particularly valuable because XSS payloads often rely on specific character codes to bypass filters. For example, the tab character (ASCII 9), newline (ASCII 10), and carriage return (ASCII 13) are frequently used to break out of string contexts or evade regular expression-based filters.

Practical Example – Testing a Payload in Shazzer:

// Example payload to test in Shazzer
<script>alert(String.fromCharCode(72,101,108,108,111))</script>

With the new toast dialog, when you fuzz this payload, Shazzer will show you each character’s code point, helping you understand exactly how the browser interprets each character.

2. Leveraging Character Encoding for XSS Filter Bypass

Attackers frequently use character encoding techniques to bypass XSS filters that rely on detecting specific keywords or patterns. Understanding character codes is fundamental to crafting effective bypasses.

Common Encoding Techniques:

| Encoding Type | Example | Use Case |

||||

| Decimal | `&72;&101;&108;&108;&111;` | HTML entity encoding |
| Hexadecimal | `&x48;&x65;&x6C;&x6C;&x6F;` | HTML hex encoding |
| Unicode | `\u0048\u0065\u006C\u006C\u006F` | JavaScript Unicode escapes |
| Hex escapes | `\x48\x65\x6C\x6C\x6F` | JavaScript hex escapes |

Step-by-Step Guide: Building an Encoded XSS Payload

  1. Identify the injection point – Determine if you’re injecting into HTML, JavaScript, or attribute context
  2. Choose your encoding – Select the appropriate encoding based on the context and filter
  3. Encode the payload – Use tools like Shazzer’s Unicode table to find the right character codes
  4. Test with Shazzer – Use the improved toast dialog to verify each character’s representation
  5. Refine and iterate – Adjust encoding based on browser behavior

Linux Command – Generating Encoded Payloads:

 Convert a string to hex encoding
echo -1 "alert('XSS')" | xxd -p | sed 's/(..)/\x\1/g'
 Output: \x61\x6c\x65\x72\x74\x28\x27\x58\x53\x53\x27\x29

Convert to decimal HTML entities
echo -1 "alert('XSS')" | od -An -td1 | tr ' ' ',' | sed 's/^,//;s/,/&/g;s/$/;/g'
 Output: &97;&108;&101;&114;&116;&40;&39;&88;&83;&83;&39;&41;

Windows PowerShell Command:

 Convert string to hex
[System.BitConverter]::ToString([System.Text.Encoding]::UTF8.GetBytes("alert('XSS')")) -replace '-',''
 Output: 616C65727428275853532729
  1. Collaborative Fuzzing: The Power of Shared Browser Resources

One of Shazzer’s most innovative features is its distributed fuzzing architecture. By opting in, your browser automatically runs fuzz tests contributed by other researchers while you browse the site. This crowdsourced approach enables rapid testing across different browsers and versions.

How to Use Shazzer’s Collaborative Features:

1. Visit Shazzer.co.uk and create an account

  1. Opt into the distributed network to contribute your browser’s computing power
  2. Create or join a team for collaborative fuzzing projects
  3. Share vectors with the community and benefit from others’ discoveries
  4. Use the toast dialog to analyze results from community-contributed fuzz tests

The collaborative nature means that when one researcher discovers a new vector, the entire community benefits immediately. This is particularly powerful for identifying browser-specific quirks that might otherwise go unnoticed.

4. Practical Fuzzing Techniques with Shazzer

Shazzer supports multiple fuzzing modes and techniques that can be enhanced using the new toast dialog visualization.

Key Fuzzing Techniques:

A. Character Range Fuzzing

Test all characters from 0-100000 to identify which ones trigger unexpected behavior. The toast dialog helps visualize non-printable characters that might otherwise be invisible.

B. Context-Aware Fuzzing

Use Shazzer’s preparation code to set up specific contexts before fuzzing:

// Shazzer pro tip: Suppress error logging during fuzz tests
<script>window.onerror = () => true</script>

This stops exceptions from being logged, allowing cleaner testing of XSS vectors.

C. Property Discovery

Use Shazzer’s initialization code to discover properties on window, document, and other objects across different browsers.

// Discover window properties across browsers
Object.getOwnPropertyNames(window).forEach(p => console.log(p));

Step-by-Step Fuzzing Workflow:

  1. Select a fuzz type – HTML parsing, JavaScript execution, or custom
  2. Define your vector – Enter the payload template with placeholders
  3. Configure preparation code – Set up the execution environment
  4. Run the fuzz test – Click “Test Fuzz” or “Fuzz”
  5. Analyze the toast dialog – Review character codes and previews
  6. Document findings – Share successful vectors with the community

5. Advanced XSS Vector Discovery and Analysis

Gareth Heyes is known for creating “super-elegant XSS vectors” and pioneering research into DOM-based XSS. Shazzer embodies this approach by providing a platform for systematic vector discovery.

Common XSS Vector Categories to Test:

| Category | Example | Bypass Technique |

||||

| Event handlers | `onerror=alert(1)` | Attribute injection |
| JavaScript URLs | `javascript:alert(1)` | Protocol bypass |
| SVG vectors | `` | HTML5 quirks |
| CSS expressions | `expression(alert(1))` | Legacy IE vectors |
| DOM clobbering | `

` | Prototype pollution |

Using Shazzer’s Unicode Table:

Shazzer now includes a comprehensive Unicode table with information about HTML entities, including named, decimal, and hex entities for each code point. This is invaluable for:
– Finding alternative representations of dangerous characters
– Discovering normalization bypasses
– Testing best-fit mappings for internationalized domains

6. Defensive Strategies: Protecting Against Fuzzing-Discovered Vectors

Understanding how attackers use tools like Shazzer is essential for building robust defenses.

Key Defensive Measures:

A. Input Validation and Sanitization

Implement strict whitelisting of allowed characters and use well-maintained sanitization libraries.

Example – Using DOMPurify for Sanitization:

// Client-side sanitization
const clean = DOMPurify.sanitize(dirtyInput, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong'],
ALLOWED_ATTR: ['title']
});

B. Content Security Policy (CSP)

Implement a strict CSP to limit the impact of any injected scripts.

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'

C. Output Encoding

Always encode output based on the context (HTML, JavaScript, URL, CSS).

OWASP Recommended Encoding Functions:

// HTML entity encoding
function htmlEncode(str) {
return String(str).replace(/[&<>"]/g, function(m) {
if (m === '&') return '&';
if (m === '<') return '<';
if (m === '>') return '>';
if (m === '"') return '"';
return m;
});
}

D. Regular Monitoring

Stay updated with the latest XSS vectors through PortSwigger’s XSS cheat sheet, which is regularly updated with new vectors from researchers.

What Undercode Say

  • Visual feedback transforms fuzzing efficiency – The ability to see character codes and previews in real-time significantly reduces the cognitive load of analyzing fuzz results, allowing researchers to identify promising vectors faster.

  • Community-driven security research is the future – Shazzer’s collaborative model demonstrates that crowdsourced browser testing can uncover quirks that would be impossible for any single researcher to find alone.

  • Character encoding remains the cornerstone of XSS bypass – Despite advances in WAF technology, encoding techniques continue to be effective, making tools that visualize character codes essential for both attackers and defenders.

  • The distinction between printable and non-printable characters matters – Many filters overlook non-printable characters, yet they can be crucial for breaking out of string contexts or evading regex patterns.

  • Cross-browser testing is non-1egotiable – Shazzer’s distributed approach highlights how different browsers interpret the same payload differently, reinforcing the need for comprehensive cross-browser testing.

  • Small UX improvements can have outsized security impacts – A seemingly minor UI enhancement like an improved toast dialog can dramatically accelerate vulnerability discovery workflows.

  • The line between fuzzing and manual testing is blurring – Tools like Shazzer combine automated fuzzing with visual analysis, creating a hybrid approach that leverages the best of both worlds.

  • Defenders must think like fuzzers – Understanding how fuzzing tools operate is essential for building defenses that can withstand systematic, automated testing.

  • Documentation and sharing accelerate the entire field – Shazzer’s collaborative features embody the idea that security research advances faster when knowledge is shared openly.

  • JavaScript remains the most dynamic attack surface – As Gareth Heyes’s work consistently shows, the JavaScript ecosystem continues to offer new and unexpected attack vectors.

Prediction

  • +1 Shazzer’s collaborative fuzzing model will likely be adopted by other security platforms, creating a network effect that dramatically accelerates XSS vector discovery across the industry.

  • +1 The improved visualization of character codes will inspire similar features in other fuzzing tools, making character-level analysis more accessible to junior security researchers.

  • -1 As tools like Shazzer become more sophisticated, attackers will have an easier time discovering zero-day XSS vectors, potentially increasing the number of unpatched vulnerabilities in production applications.

  • +1 The community-driven nature of Shazzer will lead to faster identification and patching of browser quirks, as browser vendors can use the platform to test their own implementations.

  • -1 Organizations that fail to implement defense-in-depth strategies (CSP, sanitization, output encoding) will face increased risk as fuzzing tools make vulnerability discovery more accessible.

  • +1 The integration of Unicode tables and entity information into Shazzer will drive greater awareness of internationalization-related security issues, improving the security of multilingual applications.

  • -1 The automation of cross-browser testing through distributed fuzzing may lead to a flood of low-quality vulnerability reports, straining bug bounty programs and security teams.

  • +1 Gareth Heyes’s continued innovation in this space, combined with PortSwigger’s resources, positions Shazzer to become the industry standard for XSS fuzzing and browser quirk discovery.

▶️ Related Video (82% Match):

https://www.youtube.com/watch?v=1upLfqV-zVI

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky