Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTML5 xss vectors
Posted by: Gareth Heyes
Date: December 07, 2009 10:53AM

I raised this issue with the w3 sec list but they don't see it as "increased attack surface" so that's pretty cool we have a new XSS vector that will work now in Safari, Chrome & Opera 10 and more in future.

http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: HTML5 xss vectors
Posted by: Kyo
Date: December 19, 2009 11:07AM

that's pretty cool, but I can understand their point of view. After all, this would not happen in a properly sanitized enviroment and DOM shouldn't have to fix bad code.

Options: ReplyQuote
Re: HTML5 xss vectors
Posted by: rvdh
Date: December 26, 2009 04:14PM

Yeh I can understand w3c's reviewers point too, it's not their job to sanitize badly written code is it.

Options: ReplyQuote
Re: HTML5 xss vectors
Posted by: Gareth Heyes
Date: December 29, 2009 05:11AM

Yeah I agree but it is introducing more ways to create XSS vectors, we should be trying to reduce them. This has an impact on XSS worms being able to propagate themselves automatically.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.