# H5SC

**Repository Path**: hurricane672/H5SC

## Basic Information

- **Project Name**: H5SC
- **Description**: HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors
- **Primary Language**: Unknown
- **License**: MPL-2.0
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2021-12-01
- **Last Updated**: 2021-12-01

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

HTML5 Security Cheatsheet
====

This is the new home of the H5SC or HTML5 Security Cheatsheet. Here you will find three things:

 * A collection of HTML5 related XSS attack vectors
 * A set of useful files for XSS testing
 * A set of formerly hidden features useful for XSS testing

## The XSS Vectors

The collection of XSS vectors can be found here: https://html5sec.org/

## Useful Files

We published a list of files useful for XSS testing in various situations. Currently the following files are available:

 * https://html5sec.org/test.asf
 * https://html5sec.org/test.avi
 * https://html5sec.org/test.css
 * https://html5sec.org/test.dtd
 * https://html5sec.org/test.eml
 * https://html5sec.org/test.evt
 * https://html5sec.org/test.gif
 * https://html5sec.org/test.hlp
 * https://html5sec.org/test.hta
 * https://html5sec.org/test.htc
 * https://html5sec.org/test.html
 * https://html5sec.org/test.jar
 * https://html5sec.org/test.js
 * https://html5sec.org/test.json
 * https://html5sec.org/test.mpeg
 * https://html5sec.org/test.pdf
 * https://html5sec.org/test.sct
 * https://html5sec.org/test.svg
 * https://html5sec.org/test.swf
 * https://html5sec.org/test.vbs
 * https://html5sec.org/test.vml
 * https://html5sec.org/test.wbxml
 * https://html5sec.org/test.xbl
 * https://html5sec.org/test.xdr
 * https://html5sec.org/test.xml
 * https://html5sec.org/test.xsl
 * https://html5sec.org/test.xxe
 * https://html5sec.org/test.zip
 * https://html5sec.org/Test.class

Pull requests welcome, we store the files in the `/attachments` sub-folder.

## Hidden Features

The H5SC currently has three "hidden" features

 * An RSS mode to test feed readers: https://html5sec.org/rss
  * `/rss/+/` gives a unix timestamp 300 seconds in future (for ease use)
  * `/rss/+123/` gives a unix timestamp 123 seconds in future
  * `/rss/1234/` will serve a minimal rss feed until unix time is 1234. 
 * A JavaScript function to return all vectors as string, isolated and numbered: Go [here](https://html5sec.org/) and execute `vectors()`
 * All H5SC vectors in [one text file](https://raw.githubusercontent.com/cure53/H5SC/master/vectors.txt) for easy copy & paste
 * A useful search API via GET
  * Want all vectors related to `innerHTML`? Open https://html5sec.org/?innerHTML
  * Want to link a specific vector? Open https://html5sec.org/#123
 * A redirect API resolving to a URL containing XSS payload
  *  Data URI, no special status: https://html5sec.org/r/data/
  *  Data URI, status code `307`: https://html5sec.org/r/data/307
  *  JavaScript URI, status code `301`: https://html5sec.org/r/javascript/301
  *  Supported status codes are: `301`, `302`, `303`, `307`, `308`, `999`
  *  Supported schemes are: `data`, `javascript`, `jar`, `script` (redirecting to https://html5sec.org/%3cscript>alert(1)%3c/script>/)
 * More to come soon!