Listen to this Post

Introduction
Cross-Site Scripting (XSS) remains one of the most pervasive and dangerous vulnerabilities in web applications, with researchers constantly seeking new ways to discover browser quirks and bypass filters. Gareth Heyes, a renowned PortSwigger researcher known for shattering the AngularJS sandbox and creating elegant XSS vectors, has just released a significant update to Shazzer—his collaborative fuzzing platform. The improved toast dialog now displays character codes alongside visual previews, showing hex values for non-printable characters when users press “Test Fuzz” or “Fuzz”. This seemingly small UI enhancement represents a major leap forward in how security researchers can visualize, understand, and exploit character-level behaviors across different browsers.
Learning Objectives
- Understand how Shazzer’s enhanced toast dialog accelerates XSS vector discovery through real-time character code visualization
- Master the use of character encoding (decimal, hex, and Unicode) in crafting filter-bypassing payloads
- Learn to leverage collaborative fuzzing techniques to uncover browser-specific parsing quirks and WAF bypasses
- Understanding Shazzer’s Toast Dialog and Character Code Visualization
Shazzer is a shared online fuzzer that allows security researchers to perform client-based fuzzing and share results globally. The platform tests vectors across three primary modes: HTML parsing, JavaScript execution, and general browser behavior analysis. The newly improved toast dialog enhances this process by providing immediate, visual feedback on character codes when initiating fuzz tests.
When you press “Test Fuzz” or “Fuzz” in Shazzer, the toast dialog now displays:
– The decimal character code of each character in the payload
– A visual preview of the character itself
– Hexadecimal representation for non-printable characters
This feature is particularly valuable because XSS payloads often rely on specific character codes to bypass filters. For example, the tab character (ASCII 9), newline (ASCII 10), and carriage return (ASCII 13) are frequently used to break out of string contexts or evade regular expression-based filters.
Practical Example – Testing a Payload in Shazzer:
// Example payload to test in Shazzer <script>alert(String.fromCharCode(72,101,108,108,111))</script>
With the new toast dialog, when you fuzz this payload, Shazzer will show you each character’s code point, helping you understand exactly how the browser interprets each character.
2. Leveraging Character Encoding for XSS Filter Bypass
Attackers frequently use character encoding techniques to bypass XSS filters that rely on detecting specific keywords or patterns. Understanding character codes is fundamental to crafting effective bypasses.
Common Encoding Techniques:
| Encoding Type | Example | Use Case |
||||
| Decimal | `&72;&101;&108;&108;&111;` | HTML entity encoding |
| Hexadecimal | `&x48;&x65;&x6C;&x6C;&x6F;` | HTML hex encoding |
| Unicode | `\u0048\u0065\u006C\u006C\u006F` | JavaScript Unicode escapes |
| Hex escapes | `\x48\x65\x6C\x6C\x6F` | JavaScript hex escapes |
Step-by-Step Guide: Building an Encoded XSS Payload
- Identify the injection point – Determine if you’re injecting into HTML, JavaScript, or attribute context
- Choose your encoding – Select the appropriate encoding based on the context and filter
- Encode the payload – Use tools like Shazzer’s Unicode table to find the right character codes
- Test with Shazzer – Use the improved toast dialog to verify each character’s representation
- Refine and iterate – Adjust encoding based on browser behavior
Linux Command – Generating Encoded Payloads:
Convert a string to hex encoding
echo -1 "alert('XSS')" | xxd -p | sed 's/(..)/\x\1/g'
Output: \x61\x6c\x65\x72\x74\x28\x27\x58\x53\x53\x27\x29
Convert to decimal HTML entities
echo -1 "alert('XSS')" | od -An -td1 | tr ' ' ',' | sed 's/^,//;s/,/&/g;s/$/;/g'
Output: &97;&108;&101;&114;&116;&40;&39;&88;&83;&83;&39;&41;
Windows PowerShell Command:
Convert string to hex
[System.BitConverter]::ToString([System.Text.Encoding]::UTF8.GetBytes("alert('XSS')")) -replace '-',''
Output: 616C65727428275853532729
- Collaborative Fuzzing: The Power of Shared Browser Resources
One of Shazzer’s most innovative features is its distributed fuzzing architecture. By opting in, your browser automatically runs fuzz tests contributed by other researchers while you browse the site. This crowdsourced approach enables rapid testing across different browsers and versions.
How to Use Shazzer’s Collaborative Features:
1. Visit Shazzer.co.uk and create an account
- Opt into the distributed network to contribute your browser’s computing power
- Create or join a team for collaborative fuzzing projects
- Share vectors with the community and benefit from others’ discoveries
- Use the toast dialog to analyze results from community-contributed fuzz tests
The collaborative nature means that when one researcher discovers a new vector, the entire community benefits immediately. This is particularly powerful for identifying browser-specific quirks that might otherwise go unnoticed.
4. Practical Fuzzing Techniques with Shazzer
Shazzer supports multiple fuzzing modes and techniques that can be enhanced using the new toast dialog visualization.
Key Fuzzing Techniques:
A. Character Range Fuzzing
Test all characters from 0-100000 to identify which ones trigger unexpected behavior. The toast dialog helps visualize non-printable characters that might otherwise be invisible.
B. Context-Aware Fuzzing
Use Shazzer’s preparation code to set up specific contexts before fuzzing:
// Shazzer pro tip: Suppress error logging during fuzz tests <script>window.onerror = () => true</script>
This stops exceptions from being logged, allowing cleaner testing of XSS vectors.
C. Property Discovery
Use Shazzer’s initialization code to discover properties on window, document, and other objects across different browsers.
// Discover window properties across browsers Object.getOwnPropertyNames(window).forEach(p => console.log(p));
Step-by-Step Fuzzing Workflow:
- Select a fuzz type – HTML parsing, JavaScript execution, or custom
- Define your vector – Enter the payload template with placeholders
- Configure preparation code – Set up the execution environment
- Run the fuzz test – Click “Test Fuzz” or “Fuzz”
- Analyze the toast dialog – Review character codes and previews
- Document findings – Share successful vectors with the community
5. Advanced XSS Vector Discovery and Analysis
Gareth Heyes is known for creating “super-elegant XSS vectors” and pioneering research into DOM-based XSS. Shazzer embodies this approach by providing a platform for systematic vector discovery.
Common XSS Vector Categories to Test:
| Category | Example | Bypass Technique |
||||
| Event handlers | `onerror=alert(1)` | Attribute injection |
| JavaScript URLs | `javascript:alert(1)` | Protocol bypass |
| SVG vectors | `


