XSS tag fuzzer
Wednesday, 18 June 2008
It’s been a while since I’ve blogged but I’m pretty busy at the moment with my new baby and also moving jobs as I was made redundant. I thought I’d combine my work with my blogging as I’m working on some XSS vectors for IE8.
During the process I built a simple tag fuzzer which throws all events and attributes at it with as many tags I could find (big thanks to rsnake for the events). At the moment this is just a basic fuzzer which attempt the standard events/attributes but I plan to add encodings and random characters to make it better.
One interesting discovery so far was that the applet, iframe and script have a new event in IE8 (at least I think it’s new) onreadystatechange which allows you to execute inline JS e.g.:-
<applet onreadystatechange=alert(1)>
Only tested in IE8 but could work in other browsers.
XSS tag fuzzer
No. 1 — June 19th, 2008 at 3:05 pm
The onreadystatechange event was added in IE7.
From MSDN:
All elements expose an onreadystatechange event. The following objects always fire the event because they load data: applet, document, frame, frameSet, iframe, img, link, object, script, and xml elements.
http://msdn.microsoft.com/en-us/library/ms536957(VS.85).aspx
No. 2 — June 19th, 2008 at 3:21 pm
@Rob
Thanks for the info