Category Archives: JavaScript

Source Mapper v1.2 released

Whilst using the Source Mapper extension in BurpSuite we noticed a few bugs and some opportunities for improvements. You can read more about the plugin in our earlier blog post. The improvements in this version include:

  • More granular configuration
  • Defaulting to injecting a SourceMap HTTP header instead of the SourceMap content comment in order to prevent conflicts with Sub-Resource Integrity (SRI) hashes
  • It now also does CSS file source map injection

In principal this Burp Extension enables the workflow as it previously did, just now with fewer bugs and more configuration options.

You will find the source code here:

It will also be integrated in the Burp Suite BApp store any day now.

And credit where it is due..! This version of the extension was led by Mia.

JavaScript Event Handlers a complete list

Before we provide you with the JavaScript Event Handlers list, we should answer some questions for our non-techie friends. Questions like, What is JavaScript Event Handlers? What is an event?

For those readers that know what JavaScript Event Handler is, feel free to use the list.

Introduction to JavaScript Event Handling

What is an Event?

Events are actions in a system that you are programming. Events are used in programming to make more user-friendly websites for visitors. For example, when a user presses a button on a webpage an action happens. If you press the Services word you will get to a different webpage, this is an action.

YGHT also uses JavaScript Event Handlers in web application penetration tests for our clients. If you want to learn more about how we engage in Penetration tests, book a 15-minute appointment.

What is Event Handling?

Event Handling is the procedure that decides what the action of the event should be when the user interacts with the website. The code that triggers when the Event occurs is known as Event Handling.

JavaScript uses the Delegation Event Model to define standards and mechanisms to process events. The Delegation Event Model used by JavaScript includes the following two key contributors:

  • Source: The source is an element on which event takes place. The source is in charge of providing data of the event to its handler.
  • Listener: Is responsible for producing a response to an event. The listener will wait to receive an event. When the event is sent to the listener, firstly it processes it and then returns.

This is just a list of the event handlers that are available in JavaScript. I commonly find web applications that prevent the creation of script tags and some even prevent common JS event handlers for “in-tag” injection. There are quite a few of these including some obscure ones and depending on the method of detection, not all will get caught. There are plenty of resources which include these event handlers, but I couldn’t find a singular list. So here is mine:

  • onclick
  • ondblclick
  • onmousedown
  • onmouseup
  • onmouseover
  • onmousemove
  • onmouseout
  • ondragstart
  • ondrag
  • ondragenter
  • ondragleave
  • ondragover
  • ondrop
  • ondragend
  • onkeydown
  • onkeypress
  • onkeyup
  • onload
  • onunload
  • onabort
  • onerror
  • onresize
  • onscroll
  • onselect
  • onchange
  • onsubmit
  • onreset
  • onfocus
  • onblur
  • onpointerdown
  • onpointerup
  • onpointercancel
  • onpointermove
  • onpointerover
  • onpointerout
  • onpointerenter
  • onpointerleave
  • ongotpointercapture
  • onlostpointercapture
  • oncut
  • oncopy
  • onpaste
  • onbeforecut
  • onbeforecopy
  • onbeforepaste
  • onafterupdate
  • onbeforeupdate
  • oncellchange
  • ondataavailable
  • ondatasetchanged
  • ondatasetcomplete
  • onerrorupdate
  • onrowenter
  • onrowexit
  • onrowsdelete
  • onrowinserted
  • oncontextmenu
  • ondrag
  • ondragstart
  • ondragenter
  • ondragover
  • ondragleave
  • ondragend
  • ondrop
  • onselectstart
  • onhelp
  • onbeforeunload
  • onstop
  • onbeforeeditfocus
  • onstart
  • onfinish
  • onbounce
  • onbeforeprint
  • onafterprint
  • onpropertychange
  • onfilterchange
  • onreadystatechange
  • onlosecapture
  • DOMMouseScroll
  • ondragdrop
  • ondragenter
  • ondragexit
  • ondraggesture
  • ondragover
  • onclose
  • oncommand
  • oninput
  • DOMMenuItemActive
  • DOMMenuItemInactive
  • oncontextmenu
  • onoverflow
  • onoverflowchanged
  • onunderflow
  • onpopuphidden
  • onpopuphiding
  • onpopupshowing
  • onpopupshown
  • onbroadcast
  • oncommandupdate