Difference between browser-supported handlers and Shazzer 'all_browser_events' list

The shazzer's 'all_browser_events' list is compared with the event handler set from within the window, document.body and document objects combined. Result is missing events within the shazzer's 'all_browser_events' list.

Created byhansmach1ne

Created Jan 5, 2025

Updated May 27, 2025

Detecting browser...

CategoryXSS Execution

VisibilityPublic

TypeJS

CharsetUTF-8

$[data1] placeholderall_browser_events

Code used before fuzz:

function listAllEventHandlers() {0x0D
    const allHandlers = new Set();0x0D
    const objects = [document.body, document, window];0x0D
    objects.forEach(obj => {0x0D
        for (const prop in obj) {0x0D
            if (prop.startsWith('on')) {0x0D
                allHandlers.add(prop);0x0D
            }0x0D
        }0x0D
    });0x0D
    return Array.from(allHandlers).sort();0x0D
}0x0D
allBodyHandlers = listAllEventHandlers();0x0D
0x0D
console.log("window, document and document.body contain " + allBodyHandlers .length + " handlers")0x0D
0x0D
const shazzerEvents  = new Set();

Template used:

shazzerEvents.add('$[data1]');

Code used after fuzz:

console.log("Shazzer 'all_browser_events' contains " + shazzerEvents.size + " events");0x0D
0x0D
function missingHandlers() {0x0D
const out = new Set();0x0D
    for(let handler of allBodyHandlers) {0x0D
        if (!shazzerEvents.has(handler)) {0x0D
            out.add(handler);0x0D
        }0x0D
    }0x0D
return out;0x0D
}0x0D
0x0D
for(let handler of missingHandlers()){0x0D
   log(handler);0x0D
}

Sample payloads

shazzerEvents.add('oncommand');

Difference between browser-supported handlers and Shazzer 'all_browser_events' list

Sample payloads

Fuzz results

Distributed Fuzzing