Security Test - Obfuscated

Collector Log

Payloads in the Live Output column run automatically in sandboxed iframes. Fetch and beacon calls appear here (auto-refreshes every 2 s).

Waiting for hits…
Obfuscated Security Test Cases
Case Name Payload Expected Behavior Live Output
G1 URL-encoded script 
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
 Crawler output should not decode this into active script HTML during display.
G2 Mixed-case script tags 
<ScRiPt>fetch('/collect/mixed?c=' + document.cookie)</sCrIpT>
 Crawler output should not treat mixed-case tags as executable HTML.
G3 Split across attributes 
<img src="x" onerror="this['on'+'error']=null;fetch('/collect/split?c='+document.cookie)">
 Crawler output should not render reconstructed handler logic.
G4 Base64 plus atob 
<script>eval(atob('ZmV0Y2goJy9jb2xsZWN0L2I2ND9jPScrZG9jdW1lbnQuY29va2llKQ=='))</script>
 Crawler output should keep encoded script loaders inert.

Back to crawl test home