0xy37/H5SC

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

HTML5 Security Cheatsheet

This is the new home of the H5SC or HTML5 Security Cheatsheet. Here you will find three things:

• A collection of HTML5 related XSS attack vectors
• A set of useful files for XSS testing
• A set of formerly hidden features useful for XSS testing

The XSS Vectors

The collection of XSS vectors can be found here: https://html5sec.org/

Useful Files

We published a list of files useful for XSS testing in various situations. Currently the following files are available:

• https://html5sec.org/test.asf
• https://html5sec.org/test.avi
• https://html5sec.org/test.css
• https://html5sec.org/test.dtd
• https://html5sec.org/test.eml
• https://html5sec.org/test.evt
• https://html5sec.org/test.gif
• https://html5sec.org/test.hlp
• https://html5sec.org/test.hta
• https://html5sec.org/test.htc
• https://html5sec.org/test.html
• https://html5sec.org/test.jar
• https://html5sec.org/test.js
• https://html5sec.org/test.json
• https://html5sec.org/test.mpeg
• https://html5sec.org/test.pdf
• https://html5sec.org/test.sct
• https://html5sec.org/test.svg
• https://html5sec.org/test.swf
• https://html5sec.org/test.vbs
• https://html5sec.org/test.vml
• https://html5sec.org/test.wbxml
• https://html5sec.org/test.xbl
• https://html5sec.org/test.xdr
• https://html5sec.org/test.xml
• https://html5sec.org/test.xsl
• https://html5sec.org/test.xxe
• https://html5sec.org/test.zip
• https://html5sec.org/Test.class

Pull requests welcome, we store the files in the /attachments sub-folder.

Hidden Features

The H5SC currently has three "hidden" features

• An RSS mode to test feed readers: https://html5sec.org/rss
• /rss/+/ gives a unix timestamp 300 seconds in future (for ease use)
• /rss/+123/ gives a unix timestamp 123 seconds in future
• /rss/1234/ will serve a minimal rss feed until unix time is 1234.
• A JavaScript function to return all vectors as string, isolated and numbered: Go here and execute vectors()
• All H5SC vectors in one text file for easy copy & paste
• A useful search API via GET
• Want all vectors related to innerHTML? Open https://html5sec.org/?innerHTML
• Want to link a specific vector? Open https://html5sec.org/#123
• A redirect API resolving to a URL containing XSS payload
• Data URI, no special status: https://html5sec.org/r/data/
• Data URI, status code 307: https://html5sec.org/r/data/307
• JavaScript URI, status code 301: https://html5sec.org/r/javascript/301
• Supported status codes are: 301, 302, 303, 307, 308, 999
• Supported schemes are: data, javascript, jar, script (redirecting to https://html5sec.org/%3cscript>alert(1)%3c/script>/)
• More to come soon!