HTML5 XSS
Friday, 20 March 2009
I did a couple of vectors for PHPIDS recently and I was experimenting with Firefox 3.1 beta and the new HTML5 tags. I found the audio and video tags could be used for XSS, I’m sure there are others too. The vectors are quite cool because they’re executed automatically within a onload onerror event. (Originally the onload event worked with a invalid video)
Here are the vectors simplfied:-
<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>
Check out the phpids group on sla.ckers if you want to see the wacky versions which bypass the filtering. I use setTimeout and some js tricks to beat it.
No. 1 — March 21st, 2009 at 2:14 pm
it is nice.
and, you can have a look,here:)
http://hi.baidu.com/aullik5/blog/item/0a4af8f3431ab21bb07ec57a.html
No. 2 — March 21st, 2009 at 3:26 pm
@cosine
cool thanks!
No. 3 — March 23rd, 2009 at 3:12 am
Isn’t that the same as:
<img src=1 onerror=alert(1)>
…?
No. 4 — March 23rd, 2009 at 9:34 am
@Ian
It’s a new tag to execute automatically, this could be XSS filters that use a blacklist of HTML tags but even so there are new event handlers pointed out by cosine:-
<video src=”somevalidvideo” onloadedmetadata=”alert(document.cookie);” ondurationchanged=”alert(/XSS2/);” ontimeupdate=”alert(/XSS1/);”></video>
No. 5 — March 27th, 2009 at 12:03 pm
Both seem to rely on blacklists being used, which are a pretty bad idea for exactly this reason.
No. 6 — April 29th, 2009 at 2:47 am
@cosine
thanks for the Chinese version lol