HTML5 Security - Sourcecode & Demos

Chapter 1: XSS, JavaScript & Co.

1.1 Cross-Site Scripting

1.1.2 XSS of the Third Kind: DOM-based XSS

Listing 1.1:

DOM-based-XSS.html?name=foobar

For the demonstration, you must replace the foobar in the URL field of the browsers with e.q.
<script>alert('XSS!')</script>
As long as the browser didn't encode the <- und >-chars a alert box pops up after the reload.

1.2 HTML5 and Cross-Site Scripting

1.2.5 SVG is a graphic?

Listing 1.2 (Call it!):

<svg xmlns="http://www.w3.org/2000/svg">
   <script  type="text/javascript">
      alert(1)
  </script>
</svg>

Listing 1.3 (Call it!):

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg">
   <script  type="text/javascript">
      alert("Not a SVG image, but a XSS attack!")
  </script>
</svg>

1.7 JavaScript Hijacking

1.7.1 Redefine functions

Listing 1.6 (Call it!):
<script>
function multiply(a, b) {
   var c = a * b;
   alert(a + " * " + b + " = " + c);
}

setTimeout("multiply = function() {alert('Hi Jack was there');} ", 10000);

</script>

<input type="button" value="7 * 7 = ?" onclick="multiply(7,7);">
Listing 1.7 (Call it!):
<script>
var originalAlert = window.alert;   

function wrongAlert(message) { 
   output = "I report most obediently: " + message;
   originalAlert(output);
}

window.alert = wrongAlert;

alert("Nothing to report!");
</script>

Chapter 4: Clickjacking

4.1 The classical Clickjacking

Demo