Unusual XSS vectors

I've been working on my Hackvertor script to include XSS fuzzing which isn't ready yet but I thought you might be interested in a few interesting results I've found :)

First off I'm sure you know you can use XSS in a img object yeah? Well did you know there's also a image object as well? It can be used like this:-

<pre lang="javascript"> &lt;image src="" onerror="alert(/XSS/)" /&gt; </pre>

Pretty neat eh? It may get round some XSS filters. It's not in RSnake's cheatsheet after a quick check.

Next up you can even inject Javascript into paragraph tags or obscure html tags like the following:-

<pre lang="javascript"> &lt;p onmouseover=alert(/XSS/)&gt;Some very long paragraph goes here.&lt;/p&gt; </pre>

Or what about this:-

<pre lang="javascript"> &lt;var onmouseover=alert(/XSS/)&gt;Some very long paragraph goes here.&lt;/var&gt; </pre>

Many other tags are supported using this method. That is all for now I hope you enjoyed this little post, I shall release my fuzzing research once the features have been completed in Hackvertor.