Hackvertor fuzzing tool

Tuesday, 18 December 2007

I’ve created a separate tool for HTML/JS fuzzing, I decided to do this because Hackvertor does all the hard work of conversion and I can simply extend the functionality without writing much code. The tool is already very powerful and lets you traverse unicode characters and perform whatever conversions you require and in any position in a tag. The tool features javascript logging and it’s purpose is to find combinations of characters which cause javascript execution.

How do I use it?

The idea is you place the required code in the code window and you use placeholders like *unicodeCharacter* which is the current unicode character. *charNum* contains the unicode character number, *input* stores the original data before conversion, *output* shows the the code which triggered the javascript execution (if any). The input box “Uni Character position” tells the fuzzer were to start the character from and the “Code to generate” specifies the amount of code that the fuzzer should run through.

This is powerful because you can now automate the process of logging with the “logFuzz” callback and combine it with Hackvertor’s conversion tags, so you can traverse unicode characters and convert each one in turn to hex entities, octal and urlencode etc. It currently only works on Firefox because it uses the base64 encode/decode native functions but I may expand it in future to allow other browsers.

Update…

The tool now accepts unicode characters higher than 256. Big thanks to David (AKA Thornmaker) who suggested using a Hackvertor tag rather than the raw unicode string, excellent suggestion! πŸ˜€
I’ve removed the *output* placeholder because of problems with unicode characters in String.Replace, you can still get the input string though which can be used in the main Hackvertor tool to get the raw output.

Check it out here:-
Hackvertor fuzzing tool

The entry 'Hackvertor fuzzing tool' was posted on December 18th, 2007 at 2:11 pm and last modified on December 18th, 2007 at 4:48 pm, and is filed under fuzzing, hackvertor, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

6 Responses to “Hackvertor fuzzing tool”

  1. Gareth Heyes writes:
    No. 1 — December 18th, 2007 at 2:51 pm

    Humph…String.Replace doesn’t support the full unicode character set, when using high unicode numbers it results in a javascript error πŸ™ anyone any ideas on how to use higher numbers in unicode with String.Replace?

    If it’s not possible I’ll just have to match the string another way.

  2. Gareth Heyes writes:
    No. 2 — December 18th, 2007 at 4:16 pm

    Whoo hoo fixed!

  3. Master Ternary Li writes:
    No. 3 — December 18th, 2007 at 5:37 pm

    It appears to be working fine beyond ascii-land now.

    I think there’s some looping problem with the output window… it displays:
    Character:8
    Character:8Character:9
    Character:8Character:9Character:10
    Character:8Character:9Character:10
    Character:8Character:9Character:10
    Character:8Character:9Character:10Character:13

    I removed (some) new lines chars and the Input: line to keep it short.

  4. Gareth Heyes writes:
    No. 4 — December 18th, 2007 at 7:09 pm

    Hmmmm thanks I’ll look into that

  5. Gareth Heyes writes:
    No. 5 — December 18th, 2007 at 10:39 pm

    Fixed the duplicate notices and now it should be much faster πŸ™‚ also added a extra form field for easy copy n paste instead of alerts.

  6. Gareth Heyes writes:
    No. 6 — December 19th, 2007 at 9:34 am

    Should be much faster now πŸ˜€

«
»