Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cure53/H5SC
HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors
https://github.com/cure53/H5SC
Last synced: 1 day ago
JSON representation
HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors
- Host: GitHub
- URL: https://github.com/cure53/H5SC
- Owner: cure53
- License: mpl-2.0
- Created: 2014-03-28T08:42:32.000Z (over 10 years ago)
- Default Branch: main
- Last Pushed: 2022-02-23T16:46:20.000Z (over 2 years ago)
- Last Synced: 2024-10-30T16:06:54.401Z (4 days ago)
- Language: JavaScript
- Homepage: https://html5sec.org/
- Size: 5.69 MB
- Stars: 2,853
- Watchers: 153
- Forks: 420
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-web-security - H5SC - Written by [@cure53](https://github.com/cure53). (Introduction / XSS - Cross-Site Scripting)
- qazbnm456-awesome-web-security - H5SC - Written by [@cure53](https://github.com/cure53). (Introduction / XSS - Cross-Site Scripting)
README
HTML5 Security Cheatsheet
====
This is the new home of the H5SC or HTML5 Security Cheatsheet. Here you will find three things:
* A collection of HTML5 related XSS attack vectors
* A set of useful files for XSS testing
* A set of formerly hidden features useful for XSS testing
## The XSS Vectors
The collection of XSS vectors can be found here: https://html5sec.org/
## Useful Files
We published a list of files useful for XSS testing in various situations. Currently the following files are available:
* https://html5sec.org/test.asf
* https://html5sec.org/test.avi
* https://html5sec.org/test.css
* https://html5sec.org/test.dtd
* https://html5sec.org/test.eml
* https://html5sec.org/test.evt
* https://html5sec.org/test.gif
* https://html5sec.org/test.hlp
* https://html5sec.org/test.hta
* https://html5sec.org/test.htc
* https://html5sec.org/test.html
* https://html5sec.org/test.jar
* https://html5sec.org/test.js
* https://html5sec.org/test.json
* https://html5sec.org/test.mpeg
* https://html5sec.org/test.pdf
* https://html5sec.org/test.sct
* https://html5sec.org/test.svg
* https://html5sec.org/test.swf
* https://html5sec.org/test.vbs
* https://html5sec.org/test.vml
* https://html5sec.org/test.wbxml
* https://html5sec.org/test.xbl
* https://html5sec.org/test.xdr
* https://html5sec.org/test.xml
* https://html5sec.org/test.xsl
* https://html5sec.org/test.xxe
* https://html5sec.org/test.zip
* https://html5sec.org/Test.class
Pull requests welcome, we store the files in the `/attachments` sub-folder.
## Hidden Features
The H5SC currently has three "hidden" features
* An RSS mode to test feed readers: https://html5sec.org/rss
* `/rss/+/` gives a unix timestamp 300 seconds in future (for ease use)
* `/rss/+123/` gives a unix timestamp 123 seconds in future
* `/rss/1234/` will serve a minimal rss feed until unix time is 1234.
* A JavaScript function to return all vectors as string, isolated and numbered: Go [here](https://html5sec.org/) and execute `vectors()`
* All H5SC vectors in [one text file](https://raw.githubusercontent.com/cure53/H5SC/master/vectors.txt) for easy copy & paste
* A useful search API via GET
* Want all vectors related to `innerHTML`? Open https://html5sec.org/?innerHTML
* Want to link a specific vector? Open https://html5sec.org/#123
* A redirect API resolving to a URL containing XSS payload
* Data URI, no special status: https://html5sec.org/r/data/
* Data URI, status code `307`: https://html5sec.org/r/data/307
* JavaScript URI, status code `301`: https://html5sec.org/r/javascript/301
* Supported status codes are: `301`, `302`, `303`, `307`, `308`, `999`
* Supported schemes are: `data`, `javascript`, `jar`, `script` (redirecting to https://html5sec.org/%3cscript>alert(1)%3c/script>/)
* More to come soon!