XSS tag fuzzer

Wednesday, 18 June 2008

It’s been a while since I’ve blogged but I’m pretty busy at the moment with my new baby and also moving jobs as I was made redundant. I thought I’d combine my work with my blogging as I’m working on some XSS vectors for IE8.

During the process I built a simple tag fuzzer which throws all events and attributes at it with as many tags I could find (big thanks to rsnake for the events). At the moment this is just a basic fuzzer which attempt the standard events/attributes but I plan to add encodings and random characters to make it better.

One interesting discovery so far was that the applet, iframe and script have a new event in IE8 (at least I think it’s new) onreadystatechange which allows you to execute inline JS e.g.:-

<applet onreadystatechange=alert(1)>

Only tested in IE8 but could work in other browsers.
XSS tag fuzzer

The entry 'XSS tag fuzzer' was posted on June 18th, 2008 at 6:26 pm and last modified on August 27th, 2009 at 2:44 pm, and is filed under fuzzing, javascript, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “XSS tag fuzzer”

  1. Rob Ragan writes:
    No. 1 — June 19th, 2008 at 3:05 pm

    The onreadystatechange event was added in IE7.

    From MSDN:
    All elements expose an onreadystatechange event. The following objects always fire the event because they load data: applet, document, frame, frameSet, iframe, img, link, object, script, and xml elements.

    http://msdn.microsoft.com/en-us/library/ms536957(VS.85).aspx

  2. Gareth Heyes writes:
    No. 2 — June 19th, 2008 at 3:21 pm

    @Rob

    Thanks for the info

«
»