Javascript protocol fuzz results

Well it seems that Firefox 2.0.0.14 has provided the most interesting results with my protocol fuzzer.

Char: 56320, link: jav�ascript:
Char: 56321, link: jav�ascript:
Char: 56322, link: jav�ascript:
Char: 56323, link: jav�ascript:
Char: 56324, link: jav�ascript:
Char: 56325, link: jav�ascript:
,, ,, ,, ,,

All the way to:-

char: 57343, link: jav�ascript:  

and hex entities but with a semi-colon:-

From:
Char: 56320, link: jav�ascript:

To:
Char: 57343, link: jav�ascript:

It means code like this works in Firefox 2.0.0.14:-

test 

More oddities were found but nothing as interesting as the above.

The ever changing XML file can be found here which stores the vectors by platform and browser versions:-

Vectors XML

Update…

Opera strangeness too…

Char:2048,Link:javascriptࠀ:
Char:2304,Link:javascriptऀ:
Char:3328,Link:javascriptഀ:
Char:3840,Link:javascriptༀ:
Char:4096,Link:javascriptက:
Char:4256,Link:javascriptႠ:
Char:4352,Link:javascriptᄀ:
Char:4608,Link:javascriptሀ:
Char:4864,Link:javascriptጀ:

Plus nbsp is allowed here:-
Char:160,Link: javascript:

There are more, higher ones too :)

11 Responses to “Javascript protocol fuzz results”

  1. Mikael Gueck writes:

    Could you make the vectors.xml file downloadable with wget, please?

  2. Gareth Heyes writes:

    Easy spoof the user agent e.g.

    curl -A ‘Internet Explorer’ http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/vectors.xml

  3. Mikael Gueck writes:

    Certainly, but you have to spoof the referer as well.

  4. Gareth Heyes writes:

    @Mikael

    I see your point, you now should be able to download the file with wget without spoofing.

  5. Chris Weber writes:

    Gareth, I think we’ve been doing some similar testing in this area, might be nice to chat sometime. I’ve got some other interesting results in all the browsers as well. Are you planning to be in Redmond sometime before Bluehat?

  6. Gareth Heyes writes:

    Hey Chris awesome blog! I’ve bookmarked it :) I’m from the UK so getting to Redmond before Bluehat would be difficult however I might have time just before or after.

  7. Chris Weber writes:

    Very interesting Gareth – the stuff in Firefox is the entire UTF-16 surrogate range U+DC00 to U+DFFF. Surrogates have no meaning in UTF-8 so this is weird – were you using a meta tag or HTTP header to set charset=utf-8 in your testing?

    The Opera stuff makes no sense at all to me :) Haha, wow, these code points don’t have anything in common in terms of Unicode general categories or binary properties.

    Did you see my post about whitespace in Opera?

    http://lookout.net/2008/08/26/advisory-attack-of-the-mongolian-space-evaders-and-other-medieval-xss-vectors/

    I haven’t tried out your Opera links but plan to see if I can figure out what’s going on there.

  8. Gareth Heyes writes:

    @Chris

    That’s a good point I’ve not even tried fuzzing with different charsets, at the moment it isn’t specified. I may include this option.

    Yeah seen your post about that, it’s similar to the direction reversal chars mario found when implementing phpids.

    I’ve not tried the latest version of Opera they could have been fixed because it’s been quite a while.

  9. Gareth Heyes writes:

    And as if by magic the fuzzer now contains charsets:-

    http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/javascript_protocol_fuzzer.php?charset=UTF-8

  10. Gareth Heyes writes:

    Opera now has more :D in the latest version:-
    http://www.thespanner.co.uk/2008/09/18/javascript-protocol-fuzzer-and-opera/

  11. Abeon Tech writes:

    Seems like they are opening more holes in each release……

    Why don’t some people ever learn :D