XSS tag fuzzer

It’s been a while since I’ve blogged but I’m pretty busy at the moment with my new baby and also moving jobs as I was made redundant. I thought I’d combine my work with my blogging as I’m working on some XSS vectors for IE8.

During the process I built a simple tag fuzzer which throws all events and attributes at it with as many tags I could find (big thanks to rsnake for the events). At the moment this is just a basic fuzzer which attempt the standard events/attributes but I plan to add encodings and random characters to make it better.

One interesting discovery so far was that the applet, iframe and script have a new event in IE8 (at least I think it’s new) onreadystatechange which allows you to execute inline JS e.g.:-

<applet onreadystatechange=alert(1)>

Only tested in IE8 but could work in other browsers.
XSS tag fuzzer

2 Responses to “XSS tag fuzzer”

  1. Rob Ragan writes:

    The onreadystatechange event was added in IE7.

    From MSDN:
    All elements expose an onreadystatechange event. The following objects always fire the event because they load data: applet, document, frame, frameSet, iframe, img, link, object, script, and xml elements.

    http://msdn.microsoft.com/en-us/library/ms536957(VS.85).aspx

  2. Gareth Heyes writes:

    @Rob

    Thanks for the info