New Html 5 XSS Vector’s By Gareth Heyes

Gareth Heyes is a great security guy, as you can also visit his blog The Spanner. The newly released HTML 5 is now under the eyes of hackers and it wasn't late that the New Xss vectors have been released by Gareth Heyes .

 

 

These New Xss vectors according to Gareth are automatic in major Web Browsers from Safari, Chrome to Opera all support them. And its a matter of fact that Gareth also featured them on twitter too.

 

The injection looks something like:-

<input type="text" USER_INPUT>

 

The new HTML 5 works on some other vectors and uses, but the great thing in there is that you don't need to bind your Xss into a css style in here. HTML5 however lets us execute like expressions but without css styles….

 

For example:-

 

<input type="text" AUTOFOCUS onfocus=alert(1)>

 

We use the “autofocus” feature to focus our element and then the onfocus event to execute our XSS. This works with a plethora (I like that word) of tags. Any form based element it seems you can use this method:-

 

<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>

 

Conclusion

This New Xss vectors majorly uses the onfocus HTML 5 expression to make the use of Xss on the major browsers using HTML 5 right now like Safari, Chrome, Opera, Might be Firefox too.