Published 18 years 5 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
I've been working on my Hackvertor script to include XSS fuzzing which isn't ready yet but I thought you might be interested in a few interesting results I've found :)
First off I'm sure you know you can use XSS in a img object yeah? Well did you know there's also a image object as well? It can be used like this:-
<pre lang="javascript"> <image src="" onerror="alert(/XSS/)" /> </pre>Pretty neat eh? It may get round some XSS filters. It's not in RSnake's cheatsheet after a quick check.
Next up you can even inject Javascript into paragraph tags or obscure html tags like the following:-
<pre lang="javascript"> <p onmouseover=alert(/XSS/)>Some very long paragraph goes here.</p> </pre>Or what about this:-
<pre lang="javascript"> <var onmouseover=alert(/XSS/)>Some very long paragraph goes here.</var> </pre>Many other tags are supported using this method. That is all for now I hope you enjoyed this little post, I shall release my fuzzing research once the features have been completed in Hackvertor.