lightyrs · August 10, 2015 20:43
diff --git a/bins.txt b/bins.txt
 #	Reserved Strings
 #
 #	Strings which may be used elsewhere in code

 undefined
 null

 #	Numeric Strings
 #
 #	Strings which can be interpreted as numeric

 1
 1.00
 $1.00
 1/2
 1E2
 1E02
 1E+02
 -1
 -1.00
 -$1.00
 -1/2
 -1E2
 -1E02
 -1E+02
 1/0
 0/0
 0.00
 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

 #	Special Characters
 #
 #	Strings which contain common special ASCII characters (may need to be escaped)

 ,./;'[]\-=
 <>?:"{}|_+
 !@#$%^&*()

 #	Unicode Symbols
 #
 #	Strings which contain common unicode symbols (e.g. smart quotes)

 Ω≈ç√∫˜µ≤≥÷
 åß∂ƒ©˙∆˚¬…æ
 œ∑´®†¥¨ˆøπ“‘
 ¡™£¢∞§¶•ªº–≠
 ¸˛Ç◊ı˜Â¯˘¿
 ÅÍÎÏ˝ÓÔÒÚÆ☃
 Œ„´‰ˇÁ¨ˆØ∏”’
 `⁄€‹›ﬁﬂ‡°·‚—±

 #	Unicode Subscript/Superscript
 #
 #	Strings which contain unicode subscripts/superscripts; can cause rendering issues

 ⁰⁴⁵
 ₀₁₂
 ⁰⁴⁵₀₁₂

 #	Quotation Marks
 #
 #	Strings which contain misplaced quotation marks; can cause encoding errors

 '
 "
 ''
 ""
 '"'
 "''''"'"
 "'"'"''''"

 #	Two-Byte Characters
 #
 #	Strings which contain two-byte characters: can cause rendering issues or character-length issues

 田中さんにあげて下さい
 パーティーへ行かないか
 和製漢語
 部落格
 사회과학원 어학연구소
 社會科學院語學研究所
 울란바토르
 𠜎𠜱𠝹𠱓𠱸𠲖𠳏

 #	Japanese Emoticons
 #
 #	Strings which consists of Japanese-style emoticons which are popular on the web

 ヽ༼ຈل͜ຈ༽ﾉ ヽ༼ຈل͜ຈ༽ﾉ 
 (｡◕ ∀ ◕｡)
 ｀ｨ(´∀｀∩
 __ﾛ(,_,*)
 ・(￣∀￣)・:*:
 ﾟ･✿ヾ╲(｡◕‿◕｡)╱✿･ﾟ
 ,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
 (╯°□°）╯︵ ┻━┻)  
 (ﾉಥ益ಥ）ﾉ ┻━┻

 #	Emoji
 #
 #	Strings which contain Emoji; should be the same behavior as two-byte characters, but not always

 😍
 👩🏽
 👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 
 🐵 🙈 🙉 🙊
 ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
 ✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
 🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟

 #	Unicode Numbers
 #
 #	Strings which contain unicode numbers; if the code is localized, it should see the input as numeric

 １２３
 ١٢٣

 #	Right-To-Left Strings
 #
 #	Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew)

 ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
 בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
 הָיְתָהtestالصفحات التّحول

 #	Unicode Spaces
 #
 #	Strings which contain unicode space characters with special properties (c.f. https://www.cs.tut.fi/~jkorpela/chars/spaces.html)


  
 ᠎
 　

 ␣
 ␢
 ␡

 #	Trick Unicode
 #
 #	Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf)

 ‪‪test‪
 ‫test‫
  test 
 test⁠test‫
 ⁦test⁧

 #	Zalgo Text
 #
 #	Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net)

 Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
 ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
 ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
 ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
 Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮

 #	Unicode Upsidedown
 #
 #	Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com)

 ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
 00˙Ɩ$-

 #	Script Injection
 #
 #	Strings which attempt to invoke a benign script injection; shows vulnerability to XSS

 <script>alert('hi')</script>
 <img src=x onerror=alert('hi') />
 <svg><script>0<1>alert('XSS')</script> 

 #	SQL Injection
 #
 #	Strings which can cause a SQL injection if inputs are not sanitized

 1;DROP TABLE users
 1'; DROP TABLE users--

 #	Server Code Injection
 #
 #	Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)

 /dev/null; touch /tmp/blns.fail ; echo

 #	File Inclusion
 #
 #	Strings which can cause user to pull in files that should not be a part of a web server

 ../../../../../../../../../../../etc/passwd%00
 ../../../../../../../../../../../etc/hosts

 #	Known CVEs and Vulnerabilities
 #
 #	Strings that test for known vulnerabilities.
 () { 0; }; touch /tmp/blns.shellshock1.fail;
 () { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
	# Reserved Strings
	#
	# Strings which may be used elsewhere in code

	undefined
	null

	# Numeric Strings
	#
	# Strings which can be interpreted as numeric

	1
	1.00
	$1.00
	1/2
	1E2
	1E02
	1E+02
	-1
	-1.00
	-$1.00
	-1/2
	-1E2
	-1E02
	-1E+02
	1/0
	0/0
	0.00
	999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

	# Special Characters
	#
	# Strings which contain common special ASCII characters (may need to be escaped)

	,./;'[]\-=
	<>?:"{}\|_+
	!@#$%^&*()

	# Unicode Symbols
	#
	# Strings which contain common unicode symbols (e.g. smart quotes)

	Ω≈ç√∫˜µ≤≥÷
	åß∂ƒ©˙∆˚¬…æ
	œ∑´®†¥¨ˆøπ“‘
	¡™£¢∞§¶•ªº–≠
	¸˛Ç◊ı˜Â¯˘¿
	ÅÍÎÏ˝ÓÔÒÚÆ☃
	Œ„´‰ˇÁ¨ˆØ∏”’
	`⁄€‹›ﬁﬂ‡°·‚—±

	# Unicode Subscript/Superscript
	#
	# Strings which contain unicode subscripts/superscripts; can cause rendering issues

	⁰⁴⁵
	₀₁₂
	⁰⁴⁵₀₁₂

	# Quotation Marks
	#
	# Strings which contain misplaced quotation marks; can cause encoding errors

	'
	"
	''
	""
	'"'
	"''''"'"
	"'"'"''''"

	# Two-Byte Characters
	#
	# Strings which contain two-byte characters: can cause rendering issues or character-length issues

	田中さんにあげて下さい
	パーティーへ行かないか
	和製漢語
	部落格
	사회과학원 어학연구소
	社會科學院語學研究所
	울란바토르
	𠜎𠜱𠝹𠱓𠱸𠲖𠳏

	# Japanese Emoticons
	#
	# Strings which consists of Japanese-style emoticons which are popular on the web

	ヽ༼ຈل͜ຈ༽ﾉヽ༼ຈل͜ຈ༽ﾉ
	(｡◕ ∀ ◕｡)
	｀ｨ(´∀｀∩
	__ﾛ(,_,*)
	・(￣∀￣)・:*:
	ﾟ･✿ヾ╲(｡◕‿◕｡)╱✿･ﾟ
	,。・::・゜’( ☻ ω ☻ )。・::・゜’
	(╯°□°）╯︵ ┻━┻)
	(ﾉಥ益ಥ）ﾉ ┻━┻

	# Emoji
	#
	# Strings which contain Emoji; should be the same behavior as two-byte characters, but not always

	😍
	👩🏽
	👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
	🐵 🙈 🙉 🙊
	❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
	✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
	🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
	0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟

	# Unicode Numbers
	#
	# Strings which contain unicode numbers; if the code is localized, it should see the input as numeric

	１２３
	١٢٣

	# Right-To-Left Strings
	#
	# Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew)

	ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
	בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
	הָיְתָהtestالصفحات التّحول

	# Unicode Spaces
	#
	# Strings which contain unicode space characters with special properties (c.f. https://www.cs.tut.fi/~jkorpela/chars/spaces.html)



	᠎


	␣
	␢
	␡

	# Trick Unicode
	#
	# Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf)

	‪‪test‪
	‫test‫
	test
	test⁠test‫
	⁦test⁧

	# Zalgo Text
	#
	# Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net)

	Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
	̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
	̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
	̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
	Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮

	# Unicode Upsidedown
	#
	# Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com)

	˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
	00˙Ɩ$-

	# Script Injection
	#
	# Strings which attempt to invoke a benign script injection; shows vulnerability to XSS

	<script>alert('hi')</script>
	<img src=x onerror=alert('hi') />
	<svg><script>0<1>alert('XSS')</script>

	# SQL Injection
	#
	# Strings which can cause a SQL injection if inputs are not sanitized

	1;DROP TABLE users
	1'; DROP TABLE users--

	# Server Code Injection
	#
	# Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)

	/dev/null; touch /tmp/blns.fail ; echo

	# File Inclusion
	#
	# Strings which can cause user to pull in files that should not be a part of a web server

	../../../../../../../../../../../etc/passwd%00
	../../../../../../../../../../../etc/hosts

	# Known CVEs and Vulnerabilities
	#
	# Strings that test for known vulnerabilities.
	() { 0; }; touch /tmp/blns.shellshock1.fail;
	() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }