This is the new home of the H5SC or HTML5 Security Cheatsheet. Here you will find three things:
- A collection of HTML5 related XSS attack vectors
- A set of useful files for XSS testing
- A set of formerly hidden features useful for XSS testing
The collection of XSS vectors can be found here: https://html5sec.org/
We published a list of files useful for XSS testing in various situations. Currently the following files are available:
- https://html5sec.org/test.asf
- https://html5sec.org/test.avi
- https://html5sec.org/test.css
- https://html5sec.org/test.dtd
- https://html5sec.org/test.eml
- https://html5sec.org/test.evt
- https://html5sec.org/test.gif
- https://html5sec.org/test.hlp
- https://html5sec.org/test.hta
- https://html5sec.org/test.htc
- https://html5sec.org/test.html
- https://html5sec.org/test.jar
- https://html5sec.org/test.js
- https://html5sec.org/test.json
- https://html5sec.org/test.mpeg
- https://html5sec.org/test.pdf
- https://html5sec.org/test.sct
- https://html5sec.org/test.svg
- https://html5sec.org/test.swf
- https://html5sec.org/test.vbs
- https://html5sec.org/test.vml
- https://html5sec.org/test.wbxml
- https://html5sec.org/test.xbl
- https://html5sec.org/test.xdr
- https://html5sec.org/test.xml
- https://html5sec.org/test.xsl
- https://html5sec.org/test.xxe
- https://html5sec.org/test.zip
- https://html5sec.org/Test.class
Pull requests welcome, we store the files in the /attachments
sub-folder.
Hidden Features
The H5SC currently has three "hidden" features
- An RSS mode to test feed readers: https://html5sec.org/rss
- A JavaScript function to return all vectors as string, isolated and numbered: Go here and execute
vectors()
- A useful search API via GET
- Want all vectors related to
innerHTML
? Open https://html5sec.org/?innerHTML - Want to link a specific vector? Open https://html5sec.org/#123
- A redirect resolving to a URL containing XSS payload: https://html5sec.org/r
- More to come soon!