cure53 / h5sc Goto Github PK

View Code? Open in Web Editor NEW

2.8K 153.0 418.0 5.83 MB

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

Home Page: https://html5sec.org/

License: Mozilla Public License 2.0

CSS 0.81% HTML 0.85% JavaScript 97.39% XSLT 0.04% PHP 0.90% VBScript 0.01%

h5sc's Introduction

HTML5 Security Cheatsheet

This is the new home of the H5SC or HTML5 Security Cheatsheet. Here you will find three things:

A collection of HTML5 related XSS attack vectors
A set of useful files for XSS testing
A set of formerly hidden features useful for XSS testing

The XSS Vectors

The collection of XSS vectors can be found here: https://html5sec.org/

Useful Files

We published a list of files useful for XSS testing in various situations. Currently the following files are available:

Pull requests welcome, we store the files in the /attachments sub-folder.

Hidden Features

The H5SC currently has three "hidden" features

An RSS mode to test feed readers: https://html5sec.org/rss
/rss/+/ gives a unix timestamp 300 seconds in future (for ease use)
/rss/+123/ gives a unix timestamp 123 seconds in future
/rss/1234/ will serve a minimal rss feed until unix time is 1234.
A JavaScript function to return all vectors as string, isolated and numbered: Go here and execute vectors()
All H5SC vectors in one text file for easy copy & paste
A useful search API via GET
Want all vectors related to innerHTML? Open https://html5sec.org/?innerHTML
Want to link a specific vector? Open https://html5sec.org/#123
A redirect API resolving to a URL containing XSS payload
Data URI, no special status: https://html5sec.org/r/data/
Data URI, status code 307: https://html5sec.org/r/data/307
JavaScript URI, status code 301: https://html5sec.org/r/javascript/301
Supported status codes are: 301, 302, 303, 307, 308, 999
Supported schemes are: data, javascript, jar, script (redirecting to https://html5sec.org/%3cscript>alert(1)%3c/script>/)
More to come soon!

h5sc's People

Contributors

Stargazers

Watchers

Forkers

suto 17twenty lucabongiorni makash nkavanagh romanminkin clentdc wrightrocket braneed alecdhuse jimmyhchan hamnetdeui muhaha3 fuzzyroddis priestd09 fnord0 xzirrow disillumination bizworld ebpmp fxin bakerl amyweiner zyggit 95rangerxlt jmbmxer wheercool jordanmilne kirantemojo calckode shipcod3 noscripter zenseo wilhil the-st0rm bionicclick elitelinux ksmaheshkumar ideadapt iokto fbassanini markoarmitage te42fa beefcrack cyberscions tunelko rayrc iarnaud qinwentu oi-buhtig dipsec fr34k8 withdrawn osandamalith solidstorm nahidupa ziv0chou z0x010 emilyanncr f00bar10 0xshyam dhamuharker blacksdawn benhayak atiqaht 19anand90 cyber-forensic rkunnamp zephrfish fooying crudbug sevck wghozayel terryx tzubal instruder matool13 0x13337 secforks tryusegit puppycodes aipengjie prestonkt alessandraurso bospetersen nangal security-prince velespr0 exploitprotocol solertis 3453-315h 0xr0ot olivierh59500 zicai dit81 acmo21 kaiserfarrell blueroutecn wtest 5up3rc

h5sc's Issues

/rss/ is partially broken

https://html5sec.org/rss/ works but...

Not Found

The requested URL /rss/+ was not found on this server.

Not Found

The requested URL /rss/+1234/ was not found on this server.

Not Found

The requested URL /rss/1234/ was not found on this server.

/rss/.htaccess hasn't changed and I would have thought it was an AllowOverride problem but https://html5sec.org/r/ works. hmmm.

html inject

This website abuses rawgithub.com. You should complain to its owner.

... apparently rawgithub.com didn't like your so many requests... :-)

bbbb

Add Firefox for http://html5sec.org/#147

Latest version of Firefox will trigger on <details open ontoggle="alert(1)">

At the moment the site only references blink based browsers

xss issue

how https://html5sec.org/test.gif xss will work in this? after uploading this , we are not getting any alert box.

Is `test.php` supposed to contain just CSS?

Is test.php supposed to contain just CSS?

The default Content-Type header sent by PHP (with a default php.ini) is text/html, so I’d expect an XSS vector instead. Maybe some system('cat /etc/passwd'); magic, too.

https://html5sec.org/ has expired certificate

The certificate for https://html5sec.org/ expired on March 18th, 2019

consistent naming for payloads.js

please rename payload.js to payloads.js to be consistent with items and categories. In offline mode the key is also named payloads the filename should match.