web application security scanner survey
Paid Advertising
web application security lab
« Abuse Alexa
Cross site scripting strikes apnaspace.com, hi5.com, about.com and b3ta.com »

HTML Cheat Sheet

If you haven’t visited my my vulnerability lab page it’s probably worth your time if you are into spam at all.  Text obfuscation in HTML is really simple.  It gets infinitely more complex if you add in JavaScript but even without it, it can be extremely complex.  If someone claims they know HTML show them the source of this HTML obfuscation page and then ask them to tell you what it says. Just because you can build a webpage doesn’t mean you know HTML.

That said, often times I am unsure about text obfuscation, or more exactly, I am unsure of the usage of a certain parameter of a tag.  For this there is only one page worth looking at on the entire web that I’ve found.  The HTML Cheat Sheet (aka the HTML Element Index). Brian Wilson put together the most exact and useful set of information for HTML on the web.  It’s seriously the only bookmark I use for HTML, period.  Granted, encoding and JavaScript obfuscation is not it’s primary function but many of the vectors I have come up with have been derived from Brian’s work (his was for webmasters, mine was for security experts, but you get the idea).  I highly recommend this to anyone who wants to get familiarity on the subject.

The reason this is relevant to XSS is because most people think XSS is about script injection.  That’s completely untrue unless you are talking about DOM based XSS.  In most cases you are talking about HTML injection which includes JavaScript.  The hard part is getting the HTML on the page, to run the JavaScript.  In this way, I think people have spent way too much time on JavaScript and not nearly enough on HTML, which is why the XSS Cheat Sheet talks mostly in terms of what HTML is allowed on the page, not what JavaScript is allowed.

Additionally, DOM based is usually easier to audit by hand in a black box environment because the source is easily downloadable, where in reflected and stored XSS it is not.  That’s why I’ve spent most of my time researching the different vectors rather than new ways to make JavaScript pull in additional data, although I think there are definitely doors to be opened there (Jeremiah’s Google exploit is a prime example).  Anyway, check out Brian’s page.  It’s definitely worth the time.

This entry was posted on Monday, June 19th, 2006 at 1:31 pm and is filed under XSS, Webappsec, spam. You can leave a response as well.

Respond here or Discuss On the Forums