The Spanner

Continuing the theme of fuzzers, I’ve wrote a Javascript protocol fuzzer. The goal was to try and produce every variation of javascript execution from links. It uses PHP and Javascript in order to maximize the speed of scanning, this means it can scan around 5000 links at a time.

Any ideas on improving the options or other variations would be really helpful. It’s found some good stuff so far but I’m sure it can do more, rather than show you the results I’ll let you experiment for yourself.

Fuzzer demo

How it works

It creates invisible normal HTML links based on “javascript:” it then inserts/replaces characters with the options chosen. Javascript then examines the link to see if the protocol is javascript and not http.

Options

Number of characters - This inserts between 1 and 10 characters in the chosen position

Character position - The string position of the characters chosen. E.g. if you choose “0″ then the “j” will be replaced or appended.

Replace character - Simply replaces the character rather than add characters to the position.

Url encode - Urlencodes the vector before outputting the link.

HTML hex entity encode - Instead of output the character, it uses the HTML hex entity instead.

HTML dec entity encode - Instead of output the character, it uses the HTML decimal entity instead.

Semi-colons - Adds a semi-colon if HTML entities are used.

Random zero fill - Adds a bunch of random zeros if entities are used.

Start from - Is the starting character to begin the fuzz. E.g “0″ is null