onreadystatechange

Author:

Gareth Heyes

Published: Wed, 08 Apr 2009 07:42:25 GMT

Updated: Sat, 22 Mar 2025 15:38:13 GMT

I like this event, it's pretty cool. The reason why it's interesting from a XSS perspective is that it is executed automatically without user interaction. This is rare in the XSS playground, usually you have to use onerror, onload or onfocus events and they only work in certain circumstances.

I'd better mention that the event is only relevant to Internet Explorer as far as I'm aware. If you know of any other browsers it works in then please leave a comment.

So which tags does it execute in? Well more than you first think. At first I could only get it to execute automatically with the iframe, script and style tags. But actually the img, image, input, isindex, iframe, script, style, xml and object tags all execute without user interaction.

Here are a list of vectors I found, notice the XML tag requires some content in order to execute, this can be accomplished without a closing tag or just some text. The object tag requires the type=image attribute. IMG, IMAGE, ISINDEX, INPUT all require a valid image loaded with the src attribute.

← Back to articles