The new home of the H5SC or HTML5 Security Cheatsheet. Here you will find three things:
- A collection of HTML5 related XSS attack vectors
- A set of useful files for XSS testing
- A set of formerly hidden features useful for XSS testing
The XSS Vectors
The collection of XSS vectors can be found here: https://html5sec.org/
Useful Files
We published a list of files useful for XSS testing in various situations. Currently the following files are available:
- https://html5sec.org/test.asf
- https://html5sec.org/test.avi
- https://html5sec.org/test.css
- https://html5sec.org/test.dtd
- https://html5sec.org/test.eml
- https://html5sec.org/test.evt
- https://html5sec.org/test.gif
- https://html5sec.org/test.hlp
- https://html5sec.org/test.hta
- https://html5sec.org/test.htc
- https://html5sec.org/test.html
- https://html5sec.org/test.jar
- https://html5sec.org/test.js
- https://html5sec.org/test.json
- https://html5sec.org/test.mpeg
- https://html5sec.org/test.pdf
- https://html5sec.org/test.sct
- https://html5sec.org/test.svg
- https://html5sec.org/test.swf
- https://html5sec.org/test.vbs
- https://html5sec.org/test.vml
- https://html5sec.org/test.wbxml
- https://html5sec.org/test.xbl
- https://html5sec.org/test.xdr
- https://html5sec.org/test.xml
- https://html5sec.org/test.xsl
- https://html5sec.org/test.xxe
- https://html5sec.org/test.zip
- https://html5sec.org/Test.class
Pull requests welcome, we store the files in the
/attachments sub-folder.Hidden Features
The H5SC currently has three "hidden" features
- An RSS mode to test feed readers: https://html5sec.org/rss
/rss/+/gives a unix timestamp 300 seconds in future (for ease use)/rss/+123/gives a unix timestamp 123 seconds in future/rss/1234/will serve a minimal rss feed until unix time is 1234.
- A JavaScript function to return all vectors as string, isolated and numbered: Go here and execute
vectors() - All H5SC vectors in one text file for easy copy & paste
- A useful search API via GET
- Want all vectors related to
innerHTML? Open https://html5sec.org/?innerHTML - Want to link a specific vector? Open https://html5sec.org/#123
- Want all vectors related to
- A redirect API resolving to a URL containing XSS payload
- Data URI, no special status: https://html5sec.org/r/data/
- Data URI, status code
307: https://html5sec.org/r/data/307 - JavaScript URI, status code
301: https://html5sec.org/r/javascript/301 - Supported status codes are:
301,302,303,307,308,999 - Supported schemes are:
data,javascript,jar,script(redirecting tohttps://html5sec.org/%3cscript>alert(1)%3c/script>/)
How to use :
Vectors making use of HTML5 features
XSS via formaction - requiring user interaction (1)#1test
A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form.
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes. Avoid "id" attributes for forms as well as submit buttons.
- Firefox 4.0
- Firefox Latest
- Opera 10.5
- Opera Latest
- Chrome 10.0
- Chrome Latest
- Safari 4.0.4
- Safari Latest
- Internet Explorer 10
- Internet Explorer Latest (Inside Form Element)
Self-executing focus event via autofocus#7test
This vector uses an input element with autofocus to call its own focus event handler - no user interaction required
<input onfocus=write(1) autofocus>
User submitted markup should not contain "autofocus" attributes.
- Firefox 4.0
- Firefox Latest
- Opera 9.0
- Opera Latest
- Safari 4.0
- Safari Latest
- Chrome 4.0
- Chrome Latest
- Internet Explorer 10.0
- Internet Explorer Latest
- http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602
- http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofocusing-a-form-control
more.....https://goo.gl/LCXmL4
Posts
