Thursday, September 6, 2012

Universal XSS in Opera


After Opera patched this nice bug, I will summarize how the this was triggered.

You had to put 65535 Characters before a 3 or 4 byte Unicode sign. Additionally the charset of the document had to be utf-8, which it is most of the time.
In this constellation the Unicode sign disappeared for opera.

An example:

<65530 characters><img %unicode sign%=" onerror=alert(1)//" src="x">

This showed an alert in opera, because in ended up like this:
<img =" onerror=alert(1)//" src="x">