Wednesday, November 29, 2006

SCRIPT tag JavaScript error message suppression

While researching different hacks and attack/defense techniques, it’s common to uncover odd behavior in software, especially in web browsers. I’ve also found various oddities point me in the direction of a vulnerabilities or sometimes tricks that become useful as part of another hack. Anyway, here’s some strangeness in Firefox that other might find interesting.

Use a SCRIPT tag to SRC in any invalid file type, like an image.

<* script src="1.jpg"><* /script>




To suppress the error message, use a type attribute with any value:

<* script src="1.jpg" type="put_anything_here"><* /script>

How is this useful? I don't know, but its weird eh?

More to come.

3 comments:

pdp said...
This comment has been removed by the author.
pdp said...

Actually this is very useful when used with the script scan technique presented in AttackAPI. In AttackAPI 2.0 the function that performs this task is called csrhr.

The problem with this function is that when you load a non-script resource as a script JavaScript will trigger an error - the user may get suspicious especially when this is repeated more than 100 times. Firebug will display the number of errors in the task bar which makes the process even more suspicious.

This technique will make csrhr perform stealth SCRIPT requests. This is pretty good hack. The only problem is that Mozilla will fix that in the next update I guess.

Jeremiah Grossman said...

> This technique will make csrhr perform stealth SCRIPT requests. This is pretty good hack.

AHA! I had a sneaking suspicious that it might be good for something, thanks for posting!

> The only problem is that Mozilla will fix that in the next update I guess.

Hehe, I don't think they've fixed anything I've talked about or asked for in years. :)