XSS tag fuzzer

By Gareth Heyes (@hackvertor)

Published 17 years 11 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read

It's been a while since I've blogged but I'm pretty busy at the moment with my new baby and also moving jobs as I was made redundant. I thought I'd combine my work with my blogging as I'm working on some XSS vectors for IE8.

During the process I built a simple tag fuzzer which throws all events and attributes at it with as many tags I could find (big thanks to rsnake for the events). At the moment this is just a basic fuzzer which attempt the standard events/attributes but I plan to add encodings and random characters to make it better.

One interesting discovery so far was that the applet, iframe and script have a new event in IE8 (at least I think it's new) onreadystatechange which allows you to execute inline JS e.g.:-

Only tested in IE8 but could work in other browsers. XSS tag fuzzer

← Back to articles

XSS tag fuzzer

By Gareth Heyes (@hackvertor)

Published 17 years 11 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read

← Back to articles

One interesting discovery so far was that the applet, iframe and script have a new event in IE8 (at least I think it's new) onreadystatechange which allows you to execute inline JS e.g.:-

Only tested in IE8 but could work in other browsers. XSS tag fuzzer

← Back to articles