More Javascript fuzzing

Sunday, 5 August 2007

I’ve rewrote my Javascript fuzzer to include more options, this one allows you to choose events, html attributes and various quote options. If you have any suggestions or attributes/events you would like me to include then please leave a comment. The fuzzer also now has the branding of my site that I recently redesigned.

Update…

I’ve updated my fuzzer again, it now includes a load of new options including javascript execution from within style tags and randomisation of the javascript: call.

Check it out here:-
JS Fuzzer version 2

The entry 'More Javascript fuzzing' was posted on August 5th, 2007 at 8:34 pm and last modified on August 7th, 2007 at 9:53 am, and is filed under javascript, php, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

8 Responses to “More Javascript fuzzing”

  1. .mario writes:
    No. 1 — August 6th, 2007 at 1:11 pm

    Hi Gareth,

    nice tool! But why not displaying more than one result – it’s pretty annoying that one has to click over and over again. I think displaying 20 – 50 results would be cool.

    Also it would be great not to work with alert() but with row coloring. Just overwrite alert to color the table row green where it’s originating or sth similar.

    BTW: Have you tried the mozilla fuzzer? It’s pretty cool and it would enrich you fuzzer if you’d add maybe another tab with the fuzzer output from Rhino – also limited to 20-50 statements.

    What do you think?

    Greetings,
    .mario

  2. Gareth Heyes writes:
    No. 2 — August 6th, 2007 at 1:19 pm

    Thanks Mario

    Yeah I’ll change the way it outputs and allow 50 results. Good suggestions thanks 🙂

    I’ve not looked at the Mozilla one yet, I’ll check it out though.

    Expect an update soon

  3. .mario writes:
    No. 3 — August 6th, 2007 at 1:35 pm

    cool – looking forward for that!

  4. Gareth Heyes writes:
    No. 4 — August 6th, 2007 at 2:58 pm

    I’ve uploaded a new version now. There’s no logging on the system because I haven’t had time to sort it out but if anyone gets javascript execution please let me know.

    It’s worked 3 times for me using the following:
    1.
    <body ‘onload=”alert(1);” class=”javascript:alert(2);”>test</body>
    2.
    <body “onload=”alert(1);” class=”javascript:alert(2);”>test</body>
    3. Character number : 13 before the handler

  5. .mario writes:
    No. 5 — August 6th, 2007 at 7:35 pm

    Hi
    damn cool – thanks!

    But – some more suggestions:
    – src and rel attributes are missing
    – object, embed and style tags are missing
    – all-option for tags and quotes would be cool
    – quotes are missing backticks
    – if ‘show code’ could probe for firebug and show the code in the console it would be awesome for copy&paste issues

    Great work – it’s becoming really useable!

    Greetings,
    .mario

  6. .mario writes:
    No. 6 — August 6th, 2007 at 7:36 pm

    sorry – I meant ‘all’-option for tags and attributes…

  7. Gareth Heyes writes:
    No. 7 — August 6th, 2007 at 7:39 pm

    Thanks for the suggestions Mario 🙂

    I shall sort them out tonight, I’m going to store the results of any javascript execution as well. Then I can provide a table for everyone to see.

  8. Gareth Heyes writes:
    No. 8 — August 6th, 2007 at 9:34 pm

    I’ve updated the fuzzer, it now includes:

    1. All html tags and attributes.
    2. Send code to Firebug.
    3. Lowercase, Uppercase, Random case for tags, events and attributes.
    4. You can now specify the character range.
    5. Fuzzing of HTML tags.
    6. Backticks in the quote style.

«
»