Thanks for your attention to my article and for your work.

I hope the article was interesting for you (as it looks like, because you dicided to translate it). And I hope my English version of the article was sufficiently clear for you . I can suggest for you some breaklines (indents) in the text of your version of my article - it’ll improve its readability.

And feel free to read other my articles (there are English versions of many of them, some of which are published at my site and some at WASC Mailing List).

I’ve translated to Spanish this article:
http://blog.zerial.org/seguridad/el-futuro-de-los-ataques-cross-site-scripting-xss/

lol, wordpress encoded my PoC xDD

Yes, WP is fun engine . I’ve fixed your comment.

sirdarckcat and NotMyRealName

Thanks for your feedback. It’s important for me to know thoughts of other security professionals on this topic.

I see that you are mature security professionals and it’s hard to surprise you in this topic, but in any case there was something new in these two articles for you. And looked in my article MouseOverJacking attacks, that there are other attack vectors besides XSS (such as DoS, CSRF and others). And feel free to read other my articles, where you certainly will find something interesting and new for yourself.

I’ll anwer separately at your comments soon.

expression(), background(), -moz-binding(): That is ancient and has been known for a long time.

Use of tag attributes, like onload, onerror, etc.: Ancient.

onMouseOver with a clever style: OK, I hadn’t seen that before, but it feels to me like a pretty minor tweak to some existing thing.

I think you’re hyping this way too hard. Fancy names like “MouseOverJacking”? “The Future of XSS”? It’s just a twist on standard approaches. A clever twist, but come on: have a sense of perspective.

http://0x.lv/xss.php?nofil&html_xss=%3Ca+style=xss=expression(alert(1))%3E

And on IE you can also use behavior:url(#default#time2) and onbegin if the page has a doctype.. so either way, IE is pretty much pwnable via styles.

If you want cross browser solutions, we usually use onmouseover with top/width on 100% and position absolute on 0,0.

Just to mention the first results on google:
http://sla.ckers.org/forum/read.php?2,24036
http://sla.ckers.org/forum/read.php?2,31650
http://sla.ckers.org/forum/read.php?2,15812,page=2

But yeah, considering we are on 2010 and there are PoCs since 2007, I’m correct on “years”.

Nice name anyway! I will never use it, but maybe some people will.

Greetings!!

dude, we’ve all been using this for years

sirdarckcat, really? Because I thought XSS via styles (described in my article) mostly were used .

Are you talking about MouseOverJacking or about XSS via event hadlers? Because these are different things, as I mentioned in my article MouseOverJacking attacks (read “The idea of MouseOverJacking attacks” part of the article).

MouseOverJacking is automated attacks, while XSS via event hadlers is not. I’m using XSS via event hadlers for many years (first time I mentioned at my site about such XSS regarding holes at cenzic.com and picosearch.com), but MouseOverJacking is different thing. It uses both XSS holes (via onMouseOver) and special ways to make attack fully automated - to make it comparable to attacks via styles.

As I mentioned in current article, the most often the attacks via style property are used (I also used them for many years in my PoCs). And taking into account situation with modern browsers, I proposed my cross-browser solution.

You are welcome.

dude, we’ve all been using this for years..