Monday, June 30th, 2008

JavaScript Protocol Fuzzer

Category: JavaScript, Testing

Gareth Heyes has written a JavaScript protocol fuzzer which has the goal of “producing every variation of javascript execution from links.”

If you check out the demo you see all of the options available to fuzz:

Number of characters – This inserts between 1 and 10 characters in the chosen position

Character position – The string position of the characters chosen. E.g. if you choose “0″ then the “j” will be replaced or appended.

Replace character – Simply replaces the character rather than add characters to the position.

Url encode – Urlencodes the vector before outputting the link.

HTML hex entity encode – Instead of output the character, it uses the HTML hex entity instead.

HTML dec entity encode – Instead of output the character, it uses the HTML decimal entity instead.

Semi-colons – Adds a semi-colon if HTML entities are used.

Random zero fill – Adds a bunch of random zeros if entities are used.

Start from – Is the starting character to begin the fuzz. E.g “0″ is null

He has also found interesting results in various browsers such as: jav�ascript: working, meaning that this would work:

  1. <a href="jav&#56325ascript:al&#56325ert(1)">test</a>

Posted by Dion Almaer at 11:07 am

2.6 rating from 15 votes


Comments feed TrackBack URI

I don’t get it.

Comment by eyelidlessness — June 30, 2008

I feel a bit silly for saying this but… I have no idea what this is about. What the heck is fuzzing? Is that what the kids do to get high, nowadays?

Comment by JohnDeHope3 — June 30, 2008

Hmm — some bit of British slang we yanks aren’t quite getting???

Comment by mdmadph — June 30, 2008


I don’t anybody actually cares about this =/

Comment by V1 — June 30, 2008

I think this is extremely valuable work, or it will be if Gareth can boil down his results into a new list of XSS vulnerabilities. Once that list has been identified, the community can the create code that can prevent these vulnerabilities from being exploited.

Comment by MorganRoderick — June 30, 2008

I still don’t get it. I read this earlier and I was to embarrassed to say what eyelidlessness said.

I’m convinced this is great work, but I had an easier time with Einstein’s General Relativity paper.

Comment by Nosredna — June 30, 2008

I second Nosrendas post.

what is this about?

Comment by SkaveRat — June 30, 2008

Guys, this is a tool to evaluate XSS vulnerabilities.
Take a look at the vectors xml here. It contains all the ways you can sneak javascript into a page without using the term “javascript”.

Comment by PaulIrish — June 30, 2008

Thanks for clearing that up. It definitely isn’t clear from the description. For instance, why would one want to “producing every variation of javascript execution from links”? Clearly no one knew what a “fuzzer” was either. And with those things in mind, the rest of the post became basically meaningless. It doesn’t help that nothing in this post nor the linked post contains the strings “xss” or “cross[- ]site script”.
Wouldn’t it be wiser to have a whitelist than a blacklist? For instance, the following protocols are allowed, everything gets stripped: https?|ftp. You can add protocols from there as you decide they’re safe.

Comment by eyelidlessness — June 30, 2008

That should say: “everything else gets stripped”.

Comment by eyelidlessness — June 30, 2008

I think it is the misleading name. With such a Web 2.0 name as “Fuzzer” everyone thinks it will be the next jQuery. I think Jesse invented this first, right?

Comment by Jordan1 — July 1, 2008

Leave a comment

You must be logged in to post a comment.