Formaction Injection

With Optional Content Security Policy and "X-XSS-Protection" Header(s)

(see tables at the bottom of this page)

!!!Fixed by MS15-065!!!

This demo works on pre-MS14-065 Internet Explorer only.

The July 2015 "Patch Tuesday" update contained a fix for this injection type, and it no longer works on up-to-date versions of Internet Explorer

These should still work on Internet Explorer 8 on Windows XP and Internet Explorer 9/10/11 browsers that have not been updated with MS15-065

Internet Explorer 10 & 11 only due to the formaction attribute of the <button> HTML element. Internet Explorer 9 and earlier do not parse the formaction attribute.

Credit: @garethheyes from this blog post

"Spartan"/"Edge" Update:

Microsoft's "Spartan"/"Edge" browser respects the Content Security Policy header. Properly utilized, it will prevent this type of injection from working.

This does not fix the underlying issue, and expecting every website everywhere to add correctly formatted Content Security Policy HTTP response headers is unrealistic.

If you have your own external JavaScript (.js) or plain text file you wish to use, enter its URL/URI here:

The injection lands inside a HTML form. The injected JavaScript should execute when the user clicks on the injected "<button>" HTML element with a "formaction" attribute whose value points to a vulnerable page.

Formaction Injection Page

Source of "formaction-form-submit.php"

Source of "formactionReflection.php"

Try this partially decimal-encoded injection:

Try this partially hexadecimal-encoded injection:

Try this partially named-entity-encoded injection:

Table 1 of 2: To add the Content Security Policy header of choice, refer to the following table:

Content Security Policy Options
CSP header(s) desired HTTP Response Header(s) Query string parameter/value pair Add to injection
None N/A N/A
All 3 CSP Headers Content-Security-Policy: script-src 'self';
X-Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
Just the Official CSP Header (Chrome 25+, Firefox 23+, Opera 19+, "Spartan"/Edge") Content-Security-Policy: script-src 'self'; csp=1
Just the header recognized by Internet Explorer 10 & 11 X-Content-Security-Policy: script-src 'self'; csp=2
Just the header recognized by Chrome 14 through 24 & Safari 6+ X-Webkit-CSP: script-src 'self'; csp=3
Both the Official and Internet Explorer-recognized headers Content-Security-Policy: script-src 'self';
X-Content-Security-Policy: script-src 'self';
Both the Official and Chrome 14 through 24 & Safari 6+-recognized headers Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
Both the Internet Explorer-recognized and Chrome 14 through 24 & Safari 6+-recognized headers X-Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';

Table 2 of 2: To add the X-XSS-Protection header of choice, refer to the following table:

X-XSS-Protection Options
X-XSS-Protection desired HTTP Response Header Query string parameter/value pair Add to injection
None N/A N/A
Disable XSS protection X-XSS-Protection: 0 xph=0
Enable XSS protection X-XSS-Protection: 1 xph=1
Enable XSS protection, block rendering of the page X-XSS-Protection: 1; mode=block xph=2

Back to main page