I’m reading an article in which one of the attack vector examples suggests doing the following to launch an attack:
<!-- background attribute -->
<body background="javascript:alert('XSS')">
However, when I include it in an HTML file and open it in localhost, nothing happens, does anyone know why?
Also, can someone explain the syntax javascript: and what it is called?
>Solution :
However, when I include it in a html file and open it in localhost, nothing happens, does anyone know why?
The article you link to, which also mentions ActiveX and Flash, is extremely out of date.
Modern browsers block JavaScript scheme URLs in most contexts as, in those contexts, they were used almost exclusively to launch XSS attacks.
Also, can someone explain what is the syntax javascript: doing and what is it called?
JavaScript scheme URLs are designed to allow a resource to be generated via JS embedded in a URL instead of from an external location.
They have almost never been used for that.
Their most common uses are as a hackey alternative for a click event listener and as bookmarklets.