Friday, 20 March 2009
I did a couple of vectors for PHPIDS recently and I was experimenting with Firefox 3.1 beta and the new HTML5 tags. I found the audio and video tags could be used for XSS, I’m sure there are others too. The vectors are quite cool because they’re executed automatically within a
onload onerror event. (Originally the onload event worked with a invalid video)
Here are the vectors simplfied:-
<video src=1 onerror=alert(1)> <audio src=1 onerror=alert(1)>
Check out the phpids group on sla.ckers if you want to see the wacky versions which bypass the filtering. I use setTimeout and some js tricks to beat it.