Javascript protocol fuzzer

Continuing the theme of fuzzers, I’ve wrote a Javascript protocol fuzzer. The goal was to try and produce every variation of javascript execution from links. It uses PHP and Javascript in order to maximize the speed of scanning, this means it can scan around 5000 links at a time.

Any ideas on improving the options or other variations would be really helpful. It’s found some good stuff so far but I’m sure it can do more, rather than show you the results I’ll let you experiment for yourself.

Fuzzer demo

How it works

It creates invisible normal HTML links based on “javascript:” it then inserts/replaces characters with the options chosen. Javascript then examines the link to see if the protocol is javascript and not http.

Options

Number of characters – This inserts between 1 and 10 characters in the chosen position

Character position – The string position of the characters chosen. E.g. if you choose “0” then the “j” will be replaced or appended.

Replace character – Simply replaces the character rather than add characters to the position.

Url encode – Urlencodes the vector before outputting the link.

HTML hex entity encode – Instead of output the character, it uses the HTML hex entity instead.

HTML dec entity encode – Instead of output the character, it uses the HTML decimal entity instead.

Semi-colons – Adds a semi-colon if HTML entities are used.

Random zero fill – Adds a bunch of random zeros if entities are used.

Start from – Is the starting character to begin the fuzz. E.g “0” is null

7 Responses to “Javascript protocol fuzzer”

  1. Gareth Heyes writes:

    The fuzzer now adds characters upwards when selecting more than one character. E.g.

    java�script:

    Added a new htmlspecial char encode option

  2. Morgan Roderick writes:

    Awesome work Gareth!

    I hope you will publish the results or try to share them via other sites, such as:

    http://ha.ckers.org/xss.html

  3. Gareth Heyes writes:

    Thanks Morgan

    Yes the results are available in a XML with each browser specified:-

    http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/vectors.xml

  4. superhei writes:

    can you share your javascript-protocol-fuzzer codz for me?

    thx :)

  5. Gareth Heyes writes:

    @superhei

    Yeah no problem the source is completely free:-
    http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/javascript_protocol_fuzzer.phps

  6. superhei writes:

    thank you

  7. Gareth Heyes writes:

    No probs :)