HTML5 XSS

I did a couple of vectors for PHPIDS recently and I was experimenting with Firefox 3.1 beta and the new HTML5 tags. I found the audio and video tags could be used for XSS, I’m sure there are others too. The vectors are quite cool because they’re executed automatically within a onload onerror event. (Originally the onload event worked with a invalid video)

Here are the vectors simplfied:-

<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>

Check out the phpids group on sla.ckers if you want to see the wacky versions which bypass the filtering. I use setTimeout and some js tricks to beat it.

6 Responses to “HTML5 XSS”

  1. cosine writes:

    it is nice.
    and, you can have a look,here:)
    http://hi.baidu.com/aullik5/blog/item/0a4af8f3431ab21bb07ec57a.html

  2. Gareth Heyes writes:

    @cosine

    cool thanks!

  3. Ian Hickson writes:

    Isn’t that the same as:

    <img src=1 onerror=alert(1)>

    …?

  4. Gareth Heyes writes:

    @Ian

    It’s a new tag to execute automatically, this could be XSS filters that use a blacklist of HTML tags but even so there are new event handlers pointed out by cosine:-

    <video src=”somevalidvideo” onloadedmetadata=”alert(document.cookie);” ondurationchanged=”alert(/XSS2/);” ontimeupdate=”alert(/XSS1/);”></video>

  5. Anne van Kesteren writes:

    Both seem to rely on blacklists being used, which are a pretty bad idea for exactly this reason.

  6. eric su writes:

    @cosine
    thanks for the Chinese version lol