Javascript protocol fuzz results
Monday, 30 June 2008
Well it seems that Firefox 2.0.0.14 has provided the most interesting results with my protocol fuzzer.
Char: 56320, link: jav�ascript:
Char: 56321, link: jav�ascript:
Char: 56322, link: jav�ascript:
Char: 56323, link: jav�ascript:
Char: 56324, link: jav�ascript:
Char: 56325, link: jav�ascript:
,, ,, ,, ,,
All the way to:-
char: 57343, link: jav�ascript:
and hex entities but with a semi-colon:-
From:
Char: 56320, link: jav�ascript:
To:
Char: 57343, link: jav�ascript:
It means code like this works in Firefox 2.0.0.14:-
test
More oddities were found but nothing as interesting as the above.
The ever changing XML file can be found here which stores the vectors by platform and browser versions:-
Update…
Opera strangeness too…
Char:2048,Link:javascriptࠀ:
Char:2304,Link:javascriptऀ:
Char:3328,Link:javascriptഀ:
Char:3840,Link:javascriptༀ:
Char:4096,Link:javascriptက:
Char:4256,Link:javascriptႠ:
Char:4352,Link:javascriptᄀ:
Char:4608,Link:javascriptሀ:
Char:4864,Link:javascriptጀ:
Plus nbsp is allowed here:-
Char:160,Link: javascript:
There are more, higher ones too π
No. 1 — July 1st, 2008 at 5:13 am
Could you make the vectors.xml file downloadable with wget, please?
No. 2 — July 1st, 2008 at 9:07 am
Easy spoof the user agent e.g.
curl -A ‘Internet Explorer’ http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/vectors.xml
No. 3 — July 2nd, 2008 at 3:29 am
Certainly, but you have to spoof the referer as well.
No. 4 — July 2nd, 2008 at 8:40 am
@Mikael
I see your point, you now should be able to download the file with wget without spoofing.
No. 5 — September 7th, 2008 at 3:54 am
Gareth, I think we’ve been doing some similar testing in this area, might be nice to chat sometime. I’ve got some other interesting results in all the browsers as well. Are you planning to be in Redmond sometime before Bluehat?
No. 6 — September 7th, 2008 at 6:16 pm
Hey Chris awesome blog! I’ve bookmarked it π I’m from the UK so getting to Redmond before Bluehat would be difficult however I might have time just before or after.
No. 7 — September 18th, 2008 at 12:01 am
Very interesting Gareth – the stuff in Firefox is the entire UTF-16 surrogate range U+DC00 to U+DFFF. Surrogates have no meaning in UTF-8 so this is weird – were you using a meta tag or HTTP header to set charset=utf-8 in your testing?
The Opera stuff makes no sense at all to me π Haha, wow, these code points don’t have anything in common in terms of Unicode general categories or binary properties.
Did you see my post about whitespace in Opera?
http://lookout.net/2008/08/26/advisory-attack-of-the-mongolian-space-evaders-and-other-medieval-xss-vectors/
I haven’t tried out your Opera links but plan to see if I can figure out what’s going on there.
No. 8 — September 18th, 2008 at 7:26 am
@Chris
That’s a good point I’ve not even tried fuzzing with different charsets, at the moment it isn’t specified. I may include this option.
Yeah seen your post about that, it’s similar to the direction reversal chars mario found when implementing phpids.
I’ve not tried the latest version of Opera they could have been fixed because it’s been quite a while.
No. 9 — September 18th, 2008 at 7:48 am
And as if by magic the fuzzer now contains charsets:-
http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/javascript_protocol_fuzzer.php?charset=UTF-8
No. 10 — September 18th, 2008 at 8:23 am
Opera now has more π in the latest version:-
http://www.thespanner.co.uk/2008/09/18/javascript-protocol-fuzzer-and-opera/
No. 11 — October 16th, 2008 at 11:56 am
Seems like they are opening more holes in each release……
Why don’t some people ever learn π