1712170307

Fuzzing JavaScript URLs


My approach to fuzzing has changed with a modern browser, I use innerHTML and DOM properties now. You have to use both because there are different results as they follow different code paths. Let’s say we want to fuzz JavaScript URLs in a modern browser, the first way is to use the DOM: ```js log=[]; let anchor = document.createElement('a'); for(let i=0; i<=0x10ffff;i++) { anchor.href = `javascript${String.fromCodePoint(i)}:`; if(anchor.protocol === 'javascript:') { log.push(i); } } console.log(log)//9,10,13,58 ``` Let’s break down this rather simple code, first we create an array and anchor and the we loop through all possible unicode code points (there are over 1,000,000) then we assign the href and insert our codepoint using the String.fromCode point function and we place the character(s) after the javascript string. The protocol property is used to check if the generated link is actually the JavaScript protocol. Quite astonishingly the browser will complete the operation in seconds. if you are old like me and remember when this sort of thing would just DoS the browser. Now to fuzz other parts of the href we simply need to move the placeholder. Shall we fuzz the start of the JavaScript string? Change the placeholder to: ```js anchor.href = `${String.fromCodePoint(i)}javascript:`; ``` When running that code again we get different results: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32 A lot more characters, notice the NULL at the start (char code 0 is NULL when expressed as a character), this is specific to the DOM code path. It will not work when using it in regular HTML. This is why you have to fuzz both styles DOM and innerHTML. The first thing to do when you’ve done a fuzz operation and have some interesting results is to verify them. This is easy to do, you simply manually regenerate the DOM you fuzzed. So pick a code point at random and let’s generate the DOM code for it and click it to confirm it works: ```js let anchor = document.createElement('a'); anchor.href = `${String.fromCodePoint(12)}javascript.alert(1337)`; anchor.append('Click me') document.body.append(anchor) ``` I picked codepoint 12 (form feed), created a JavaScript URL that calls alert, added some text to the anchor and finally added it to the body element. When clicking the link it should call alert and now you’ve verified that your fuzz code actually works. Try experimenting with the different codepoints to ensure that it is working as intended. A couple of questions to ask yourself are “Can you use multiple characters?” or “Can you multiple characters at different positions?”. I’ll leave it to you as an exercise to answer those questions. If this post has interested you, and you want to know more about the subject, leave your comment here and I'll bring you more complete content.

To comment this publication you need to be logged in.