• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Script Mapping

This version was saved 14 years, 8 months ago View current version     Page history
Saved by Romain Gaucher
on July 11, 2009 at 2:59:44 pm
 

Description

The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to cause a script to be executed within a web page without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.

 

Originally this project was scoped to check the W3C tags and event attribute combinations to identify which events can be fired in a given tag. After community discussion we extended the project to test for and map the different ways script can be executed by a browser without the use of the script tag. This will be identified via a combination of custom automated test suites and manual review when applicable. 

 

Project status: Seeking for contributors. Drop me an email if you are interested in this project.

 

Project leader: Romain Gaucher <r ~AT~ rgaucher ~D0T~ info>

 

Project contributors:

 

Robert Auger (WASC) Kurt Grutzmacher
Roel Bollens Joren McReynolds
Thor Larholm Moritz Naumann (Naumann IT Consulting & Services)
Stefano Di Paola (Mind Security) Susam Pal

 

 

Releases

For each release, we need verification. If you think one result is not accurate or just wrong, you can review the associated test case and send back your comments. 

 

You can download the first results of the Script Mapping project by clicking on the screenshot:

 

 

 

Phases

To make the data more manageable we will be publishing our results in different phases.

 

HTML/XHTML event attributes

 

Script engine calls

  • JavaScript (ex, href="/javscript:alert("foo')")

  • VBScript

 

Cascading Style Sheets

  • W3C (ref 1,2,3)

  • Gecko 

  • WebKit 

 

 

Comments (0)

You don't have permission to comment on this page.