I did a couple of vectors for PHPIDS recently and I was experimenting with Firefox 3.1 beta and the new HTML5 tags. I found the audio and video tags could be used for XSS, I’m sure there are others too. The vectors are quite cool because they’re executed automatically within a onload onerror event. (Originally the onload event worked with a invalid video)
Here are the vectors simplfied:-
<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>
Check out the phpids group on sla.ckers if you want to see the wacky versions which bypass the filtering. I use setTimeout and some js tricks to beat it.
Comments 6
it is nice.
Posted 21 Mar 2009 at 2:14 pm ¶and, you can have a look,here:)
http://hi.baidu.com/aullik5/blog/item/0a4af8f3431ab21bb07ec57a.html
@cosine
cool thanks!
Posted 21 Mar 2009 at 3:26 pm ¶Isn’t that the same as:
<img src=1 onerror=alert(1)>
…?
Posted 23 Mar 2009 at 3:12 am ¶@Ian
It’s a new tag to execute automatically, this could be XSS filters that use a blacklist of HTML tags but even so there are new event handlers pointed out by cosine:-
<video src=”somevalidvideo” onloadedmetadata=”alert(document.cookie);” ondurationchanged=”alert(/XSS2/);” ontimeupdate=”alert(/XSS1/);”></video>
Posted 23 Mar 2009 at 9:34 am ¶Both seem to rely on blacklists being used, which are a pretty bad idea for exactly this reason.
Posted 27 Mar 2009 at 12:03 pm ¶@cosine
Posted 29 Apr 2009 at 2:47 am ¶thanks for the Chinese version lol
Post a Comment