Well it seems that Firefox 2.0.0.14 has provided the most interesting results with my protocol fuzzer.
Char: 56320, link: jav�ascript: Char: 56321, link: jav�ascript: Char: 56322, link: jav�ascript: Char: 56323, link: jav�ascript: Char: 56324, link: jav�ascript: Char: 56325, link: jav�ascript: ,, ,, ,, ,,
All the way to:-
char: 57343, link: jav�ascript:
and hex entities but with a semi-colon:-
From: Char: 56320, link: jav�ascript: To: Char: 57343, link: jav�ascript:
It means code like this works in Firefox 2.0.0.14:-
<a href="jav�ascript:al�ert(1)">test</a>
More oddities were found but nothing as interesting as the above.
The ever changing XML file can be found here which stores the vectors by platform and browser versions:-
Update…
Opera strangeness too…
Char:2048,Link:javascriptࠀ: Char:2304,Link:javascriptऀ: Char:3328,Link:javascriptഀ: Char:3840,Link:javascriptༀ: Char:4096,Link:javascriptက: Char:4256,Link:javascriptႠ: Char:4352,Link:javascriptᄀ: Char:4608,Link:javascriptሀ: Char:4864,Link:javascriptጀ: Plus nbsp is allowed here:- Char:160,Link: javascript:
There are more, higher ones too 
Comments 10
Could you make the vectors.xml file downloadable with wget, please?
Posted 01 Jul 2008 at 5:13 am ¶Easy spoof the user agent e.g.
curl -A ‘Internet Explorer’ http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/vectors.xml
Posted 01 Jul 2008 at 9:07 am ¶Certainly, but you have to spoof the referer as well.
Posted 02 Jul 2008 at 3:29 am ¶@Mikael
I see your point, you now should be able to download the file with wget without spoofing.
Posted 02 Jul 2008 at 8:40 am ¶Gareth, I think we’ve been doing some similar testing in this area, might be nice to chat sometime. I’ve got some other interesting results in all the browsers as well. Are you planning to be in Redmond sometime before Bluehat?
Posted 07 Sep 2008 at 3:54 am ¶Hey Chris awesome blog! I’ve bookmarked it
I’m from the UK so getting to Redmond before Bluehat would be difficult however I might have time just before or after.
Posted 07 Sep 2008 at 6:16 pm ¶Very interesting Gareth - the stuff in Firefox is the entire UTF-16 surrogate range U+DC00 to U+DFFF. Surrogates have no meaning in UTF-8 so this is weird - were you using a meta tag or HTTP header to set charset=utf-8 in your testing?
The Opera stuff makes no sense at all to me
Haha, wow, these code points don’t have anything in common in terms of Unicode general categories or binary properties.
Did you see my post about whitespace in Opera?
http://lookout.net/2008/08/26/advisory-attack-of-the-mongolian-space-evaders-and-other-medieval-xss-vectors/
I haven’t tried out your Opera links but plan to see if I can figure out what’s going on there.
Posted 18 Sep 2008 at 12:01 am ¶@Chris
That’s a good point I’ve not even tried fuzzing with different charsets, at the moment it isn’t specified. I may include this option.
Yeah seen your post about that, it’s similar to the direction reversal chars mario found when implementing phpids.
I’ve not tried the latest version of Opera they could have been fixed because it’s been quite a while.
Posted 18 Sep 2008 at 7:26 am ¶And as if by magic the fuzzer now contains charsets:-
http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/javascript_protocol_fuzzer.php?charset=UTF-8
Posted 18 Sep 2008 at 7:48 am ¶Opera now has more
in the latest version:-
Posted 18 Sep 2008 at 8:23 am ¶http://www.thespanner.co.uk/2008/09/18/javascript-protocol-fuzzer-and-opera/
Post a Comment