HTML event handlers

The following is a list of event handlers which can be used in HTML code to execute Javascript code.

  • FSCommand(): attacker can use this when executed from within an embedded Flash object
  • onAbort(): when user aborts the loading of an image
  • onActivate(): when object is set as the active element
  • onAfterPrint(): activates after user prints or previews print job
  • onAfterUpdate(): activates on data object after updating data in the source object
  • onBeforeActivate(): fires before the object is set as the active element
  • onBeforeCopy(): attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function
  • onBeforeCut(): attacker executes the attack string right before a selection is cut
  • onBeforeDeactivate(): fires right after the activeElement is changed from the current object
  • onBeforeEditFocus(): Fires before an object contained in an editable element enters a UIactivated state or when an editable container object is control selected
  • onBeforePaste(): user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function
  • onBeforePrint(): user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function
  • onBeforeUnload(): user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent
  • onBlur(): in the case where another popup is loaded and window looses focus
  • onBounce(): fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window
  • onCellChange(): fires when data changes in the data provider
  • onChange(): select, text, or TEXTAREA field loses focus and its value has been modified
  • onClick(): someone clicks on a form
  • onContextMenu(): user would need to right click on attack area
  • onControlSelect(): fires when the user is about to make a control selection of the object
  • onCopy(): user needs to copy something or it can be exploited using the execCommand("Copy") command
  • onCut(): user needs to copy something or it can be exploited using the execCommand("Cut") command
  • onDataAvailible(): user would need to change data in an element, or attacker could perform the same function
  • onDataSetChanged(): fires when the data set exposed by a data source object changes
  • onDataSetComplete(): fires to indicate that all data is available from the data source object
  • onDblClick(): user double-clicks a form element or a link
  • onDeactivate(): fires when the activeElement is changed from the current object to another object in the parent document
  • onDrag(): requires that the user drags an object
  • onDragEnd(): requires that the user drags an object
  • onDragLeave(): requires that the user drags an object off a valid location
  • onDragEnter(): requires that the user drags an object into a valid location
  • onDragOver(): requires that the user drags an object into a valid location
  • onDragDrop(): user drops an object (e.g. file) onto the browser window
  • onDrop(): user drops an object (e.g. file) onto the browser window
  • onError(): loading of a document or image causes an error
  • onErrorUpdate(): fires on a databound object when an error occurs while updating the associated data in the data source object
  • onExit(): someone clicks on a link or presses the back button
  • onFilterChange(): fires when a visual filter completes state change
  • onFinish(): attacker can create the exploit when marquee is finished looping
  • onFocus(): attacker executes the attack string when the window gets focus
  • onFocusIn(): attacker executes the attack string when window gets focus
  • onFocusOut(): attacker executes the attack string when window looses focus
  • onHelp(): attacker executes the attack string when users hits F1 while the window is in focus
  • onKeyDown(): user depresses a key
  • onKeyPress(): user presses or holds down a key
  • onKeyUp(): user releases a key
  • onLayoutComplete(): user would have to print or print preview
  • onLoad(): attacker executes the attack string after the window loads
  • onLoseCapture(): can be exploited by the releaseCapture() method
  • onMouseDown(): the attacker would need to get the user to click on an image
  • onMouseEnter(): cursor moves over an object or area
  • onMouseLeave(): the attacker would need to get the user to mouse over an image or table and then off again
  • onMouseMove(): the attacker would need to get the user to mouse over an image or table
  • onMouseOut(): the attacker would need to get the user to mouse over an image or table and then off again
  • onMouseOver(): cursor moves over an object or area
  • onMouseUp(): the attacker would need to get the user to click on an image
  • onMouseWheel(): the attacker would need to get the user to use their mouse wheel
  • onMove(): user or attacker would move the page
  • onMoveEnd(): user or attacker would move the page
  • onMoveStart(): user or attacker would move the page
  • onPaste(): user would need to paste or attacker could use the execCommand("Paste") function
  • onProgress(): attacker would use this as a flash movie was loading
  • onPropertyChange(): user or attacker would need to change an element property
  • onReadyStateChange(): user or attacker would need to change an element property
  • onReset(): user or attacker resets a form
  • onResize(): user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>
  • onResizeEnd(): user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>
  • onResizeStart(): user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>
  • onRowEnter(): user or attacker would need to change a row in a data source
  • onRowExit(): user or attacker would need to change a row in a data source
  • onRowDelete(): user or attacker would need to delete a row in a data source
  • onRowInserted(): user or attacker would need to insert a row in a data source
  • onScroll(): user would need to scroll, or attacker could use the scrollBy() function
  • onSelect(): user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");
  • onSelectionChange(): user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");
  • onSelectStart(): user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");
  • onStart(): fires at the beginning of each marquee loop
  • onStop(): user would need to press the stop button or leave the webpage
  • onSubmit(): requires attacker or user submits a form
  • onUnload(): as the user clicks any link or presses the back button or attacker forces a click

Tags: 

Share