Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Opera strange onerror execution
Posted by: W4yne
Date: April 28, 2012 02:54AM

Hey, after finding out that this executes:
<img src="x" ="_=" title="onerror='alert(1)'">

I tried to found values before the =, which still execute the onerror event.
After using the whole Unicode Range, I found out that opera execute the onerror
with certain unicode characters.
BUT the unicodes which works change from time to time and from machine to machine. Additionally it works only if there a additionall <img> objects, they don't work with just one img object.
Here is a test page, its the unicode range from 1048576 - 1114111 (in decimal).
In this range only one alert gets triggered.

http://akjor.bplaced.net/fuzzer-1114112.html

In the alert box is the decimal value of the used unicode char.
Maybe you can help me to understand why this is happening

W4yne

BTW: Tested on Opera 11.62, Firefox 12 (which freezes when loading the page) and IExplorer. Chrome is not tested yet.

Knowledge cannot be obtained by believe.

Options: ReplyQuote


Sorry, only registered users may post in this forum.