Monday, June 30th, 2008
JavaScript Protocol Fuzzer
Category: JavaScript
, Testing
Gareth Heyes has written a JavaScript protocol fuzzer which has the goal of "producing every variation of javascript execution from links."
If you check out the demo you see all of the options available to fuzz:
Number of characters - This inserts between 1 and 10 characters in the chosen position
Character position - The string position of the characters chosen. E.g. if you choose “0″ then the “j†will be replaced or appended.
Replace character - Simply replaces the character rather than add characters to the position.
Url encode - Urlencodes the vector before outputting the link.
HTML hex entity encode - Instead of output the character, it uses the HTML hex entity instead.
HTML dec entity encode - Instead of output the character, it uses the HTML decimal entity instead.
Semi-colons - Adds a semi-colon if HTML entities are used.
Random zero fill - Adds a bunch of random zeros if entities are used.
Start from - Is the starting character to begin the fuzz. E.g “0″ is null
He has also found interesting results in various browsers such as: jav�ascript: working, meaning that this would work:
-
-
<a href="jav�ascript:al�ert(1)">test</a>
-
I don’t get it.
I feel a bit silly for saying this but… I have no idea what this is about. What the heck is fuzzing? Is that what the kids do to get high, nowadays?
Hmm — some bit of British slang we yanks aren’t quite getting???
*yawn*
I don’t anybody actually cares about this =/
I think this is extremely valuable work, or it will be if Gareth can boil down his results into a new list of XSS vulnerabilities. Once that list has been identified, the community can the create code that can prevent these vulnerabilities from being exploited.
I still don’t get it. I read this earlier and I was to embarrassed to say what eyelidlessness said.
I’m convinced this is great work, but I had an easier time with Einstein’s General Relativity paper.
I second Nosrendas post.
what is this about?
Guys, this is a tool to evaluate XSS vulnerabilities.
Take a look at the vectors xml here. It contains all the ways you can sneak javascript into a page without using the term “javascript”.
@PaulIrish:
Thanks for clearing that up. It definitely isn’t clear from the description. For instance, why would one want to “producing every variation of javascript execution from links”? Clearly no one knew what a “fuzzer” was either. And with those things in mind, the rest of the post became basically meaningless. It doesn’t help that nothing in this post nor the linked post contains the strings “xss” or “cross[- ]site script”.
.
Wouldn’t it be wiser to have a whitelist than a blacklist? For instance, the following protocols are allowed, everything gets stripped: https?|ftp. You can add protocols from there as you decide they’re safe.
That should say: “everything else gets stripped”.
I think it is the misleading name. With such a Web 2.0 name as “Fuzzer” everyone thinks it will be the next jQuery. I think Jesse invented this first, right?