There are many ways we might have failed.
If you are the first to provide me with a payload that does any of the following on one of Yahoo's A-list browsers, then I will be happy to give credit via the project wiki and README, and I owe you a nice dinner next time we're in the same city (or coupon for dinner in your city). Only the first reported payload that demonstrates a particular bug counts.
- Pop up an
alert
with any text. - Cause a network load of
http://ha.ckers.org/xss.js
as JS - Set or retrieve
document.cookie
. - Cause the DOM to contain an element or attribute not explicitly allowed by the policy linked above (and not contained by
/reflect
with a blank input). - Cause an redirect to
http://ha.ckers.org/
or a URL of your choosing without user interaction. - Cause a save-file dialog to pop-up.
- Crash the browser or cause it to loop infinitely until the browser halts JS or consume inordinate resources for an input of that size.
- Cause an exception, crash, or inf. loop in the sanitizer that causes it to fail to provide service or consume inordinate resources for an input of that size.
- Exfiltrate information from the page, such as the name or value of an input or the page title.
- Exfiltrate keystrokes from the page.
This is not an exhaustive list and creative attacks are welcome.
If you find the web interface cumbersome, feel free to download and test the sanitizer directly. See GettingStarted for instructions.
Please report successful attacks with example input via OWASP's bugcrowd queue
or contact mikesamuel
@gmail
.com
and I will create a repository security advisory to coordinate.
If you wish to be credited, please provide a name or handle for me to credit.
If you wish to remain anonymous, please create a sock account, and email the address above.
We are testing the HTML sanitizer as written, not the servers on which the test framework runs, so hacking the server to change the code behind it or rewrite the HTML sanitizer is out of bounds.
Feel free to ask question in comments on this wiki page, or via the project group, or via my email address above.
I will also lurk on IRC /join #owasp-html-sanitizer
using the handle mikesamuel
.