Skip to content
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
36 lines (25 sloc) 2.47 KB

Attack Review Ground Rules

How to win

There are many ways we might have failed.

If you are the first to provide me with a payload that does any of the following on one of Yahoo's A-list browsers, then I will be happy to give credit via the project wiki and README, and I owe you a nice dinner next time we're in the same city (or coupon for dinner in your city). Only the first reported payload that demonstrates a particular bug counts.

  • Pop up an alert with any text.
  • Cause a network load of as JS
  • Set or retrieve document.cookie.
  • Cause the DOM to contain an element or attribute not explicitly allowed by the policy linked above (and not contained by /reflect with a blank input).
  • Cause an redirect to or a URL of your choosing without user interaction.
  • Cause a save-file dialog to pop-up.
  • Crash the browser or cause it to loop infinitely until the browser halts JS or consume inordinate resources for an input of that size.
  • Cause an exception, crash, or inf. loop in the sanitizer that causes it to fail to provide service or consume inordinate resources for an input of that size.
  • Exfiltrate information from the page, such as the name or value of an input or the page title.
  • Exfiltrate keystrokes from the page.

This is not an exhaustive list and creative attacks are welcome.

If you find the web interface cumbersome, feel free to download and test the sanitizer directly. See GettingStarted for instructions.

Reporting Vulnerabilities

Please report successful attacks with example input via OWASP's bugcrowd queue.

If you wish to be credited, please provide a name or handle for me to credit.

If you wish to remain anonymous and still claim dinner at my expense, please create a sock account, CC and let me know how you will authenticate yourself should we meet.

Out of Bounds

We are testing the HTML sanitizer as written, not the servers on which the test framework runs, so hacking the server to change the code behind it or rewrite the HTML sanitizer is out of bounds.


Feel free to ask question in comments on this wiki page, or via the project group, or via my email address above.

I will also lurk on IRC /join #owasp-html-sanitizer using the handle mikesamuel.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.