Description
The purpose of the WASC Script Mapping Project is to create a comprehensive list of unique vectors that trigger the evocation of the JavaScript run-time, resulting in JavaScript content to be evaluated and executed.
This list should include the following:
- Element references (<script>)
- HTML/XHTML DOM Events (onmousemove , onload)
- Protocol declarations (javascript: , data:)
We feel this reference will prove useful for: Comprehensive testing of currently implemented Data Validation solutions such as Whitelists, Blacklists or WAFs; For those wishing to build an custom Data Validation systems that handle HTML/XHTML/XML content; As well as other uses.
Originally this project was scoped to check the W3C tags and event attribute combinations to identify which events can be fired in a given tag. After community discussion we extended the project to test for and map the different ways script can be executed by a browser. This will be identified via a combination of custom automated test suites and manual review when applicable. Our long term goal is to completely automate the testing, update, and maintenance of this reference.
Project Status: Version 0.2 is underway... (Always seeking contributors, drop me an email if you are interested in this project.)
Project Leader(s): Daniel Herrera <daherrera101@yahoo.com>, Romain Gaucher <rgaucher@cigital.com>
Project contributors:
Robert Auger (WASC) |
Kurt Grutzmacher |
Roel Bollens |
Joren McReynolds |
Thor Larholm |
Moritz Naumann (Naumann IT Consulting & Services) |
Stefano Di Paola (Mind Security) |
Susam Pal |
Releases
For each release, we need verification. If you think one result is not accurate or just wrong, you can review the associated test case and send back your comments.
Version 0.1
W3C Event Handlers: Firefox2, IE7, Safari3 (Nov. 26, 2007)(Download) & Test Cases (Download)
Phases
To make the data more manageable we will be publishing our results in different phases. Please stay tuned for additional details regarding the release phases and an associated time line.
Version 0.2
HTML/XHTML DOM events
Version 0.3
Protocol References
-
JavaScript (ex: href="/javscript\:alert(1)")
-
Data (ex: src="data\:text/javacript;base64,YWxlcnQoMSk7")
Cascading Style Sheets
-
W3C (ref 1,2,3)
-
Gecko
-
WebKit
Comments (0)
You don't have permission to comment on this page.