def test_payload_inline_single_no_break(self):
html = """
<div style='background-image: url("%s")'>
"""
payload = 'PAYLOAD":('
escaped_payload = payload.replace('"', '')
contexts = get_context(html % escaped_payload, payload)
self.assertEqual(len(contexts), 0)
def test_payload_inline_double(self):
html = """
<div style="background-image: url('%s')">
"""
payload = "PAYLOAD':("
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertTrue(context.can_break())
def test_payload_inline_double(self):
html = """
<div style="background-image: url('%s')">
"""
payload = "PAYLOAD':("
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertTrue(context.can_break())
def test_payload_inline_single_no_break(self):
html = """
<div style='background-image: url("%s")'>
"""
payload = 'PAYLOAD":('
escaped_payload = payload.replace('"', '')
contexts = get_context(html % escaped_payload, payload)
self.assertEqual(len(contexts), 0)
def test_payload_inline_single(self):
html = """
<div style='background-image: url("%s")'>
"""
payload = 'PAYLOAD":('
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, HtmlAttrSingleQuote)
self.assertTrue(context.can_break())
def test_payload_inline_single(self):
html = """
<div style='background-image: url("%s")'>
"""
payload = 'PAYLOAD":('
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, HtmlAttrSingleQuote)
self.assertTrue(context.can_break())
def test_payload_handler(self):
html = """
<html>
<a onclick="PAYLOAD">foo</a>
</html>
"""
context = get_context(html, 'PAYLOAD')[0]
self.assertTrue(context.is_executable())
self.assertIsInstance(context, HtmlAttrDoubleQuote)
def test_payload_href_append_no_exec(self):
html = """
<html>
<a href="http://w3af.org/PAYLOAD">foo</a>
</html>
"""
context = get_context(html, 'PAYLOAD')[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertFalse(context.is_executable())
def test_payload_javascript_href_start_with_space(self):
html = """
<html>
<a href=" javascript:foo();PAYLOAD">foo</a>
</html>
"""
context = get_context(html, 'PAYLOAD')[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertTrue(context.is_executable())
def test_payload_html_inside_script_with_comment(self):
html = """
<html>
<script>
<!-- foo();PAYLOAD;bar(); -->
</script>
</html>
"""
self.assertIsInstance(get_context(html, 'PAYLOAD')[0], ScriptText)
def test_payload_href(self):
payload = 'PAYLOAD:'
html = """
<html>
<a href="%s">foo</a>
</html>
"""
context = get_context(html % payload, payload)[0]
self.assertTrue(context.can_break())
self.assertIsInstance(context, HtmlAttrDoubleQuote)
def test_payload_src(self):
html = """
<html>
<img src="%s" />
</html>
"""
payload = 'PAYLOAD:'
context = get_context(html % payload, payload)[0]
self.assertTrue(context.can_break())
self.assertIsInstance(context, HtmlAttrDoubleQuote)
def test_payload_style_single_quote_break(self):
html = """
<html>
<style>
font-family: Georgia, "Times New Roman %s";
</style>
</html>
"""
payload = 'PAYLOAD":('
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, CSSText)
self.assertTrue(context.can_break())
def test_payload_onclick_payload_between_single_quotes_append(self):
html = """
<html>
<input type="button" onClick="foo('XXX-PAYLOAD'BREAK')">
</html>
"""
payload = "PAYLOAD'BREAK"
context = get_context(html, payload)[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertTrue(context.can_break())
def test_payload_onclick_payload_append(self):
html = """
<html>
<input type="button" onClick="XXX - PAYLOAD">
</html>
"""
payload = "PAYLOAD"
context = get_context(html, payload)[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertFalse(context.can_break())
self.assertTrue(context.is_executable())
def test_payload_with_space_equal_src_executable(self):
"""
Related with:
https://github.com/andresriancho/w3af/issues/1557
https://github.com/andresriancho/w3af/issues/2919
"""
html = """
<html>
<frame src="5vrws =">
</html>
"""
self.assertEqual(get_context(html, '5vrws%20%3D'), [])
def test_payload_script_single_quote(self):
html = """
<html>
<script type="text/javascript">//<!--
init({login:'',foo:'PAYLOAD'})
</script>
</html>
"""
payload = 'PAYLOAD'
context = get_context(html, payload)[0]
self.assertIsInstance(context, ScriptText)
self.assertFalse(context.can_break())
def test_payload_onclick_payload_separated_with_semicolon(self):
html = """
<html>
<input type="button" onclick="foo();PAYLOAD;bar()">
</html>
"""
payload = 'PAYLOAD'
context = get_context(html, payload)[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertTrue(context.is_executable())
self.assertFalse(context.can_break())
def test_payload_style_single_quote_no_break(self):
html = """
<html>
<style>
font-family: Georgia, "Times New Roman %s";
</style>
</html>
"""
payload = 'PAYLOAD":('
escaped_payload = payload.replace('"', '\\"')
contexts = get_context(html % escaped_payload, payload)
self.assertEqual(len(contexts), 0)
def test_payload_script_single_quote_can_break(self):
html = """
<html>
<script>
init({login:'',foo:'PAYLOAD'BREAK'})
</script>
</html>
"""
payload = "PAYLOAD'BREAK"
context = get_context(html, payload)[0]
self.assertIsInstance(context, ScriptText)
self.assertTrue(context.can_break())
def test_payload_style_single_quote_no_break(self):
html = """
<html>
<style>
font-family: Georgia, "Times New Roman %s";
</style>
</html>
"""
payload = 'PAYLOAD":('
escaped_payload = payload.replace('"', '\\"')
contexts = get_context(html % escaped_payload, payload)
self.assertEqual(len(contexts), 0)
def test_payload_style_single_quote_break(self):
html = """
<html>
<style>
font-family: Georgia, "Times New Roman %s";
</style>
</html>
"""
payload = 'PAYLOAD":('
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, CSSText)
self.assertTrue(context.can_break())
def test_payload_with_space_equal_not_executable_attr(self):
"""
Related with:
https://github.com/andresriancho/w3af/issues/1557
https://github.com/andresriancho/w3af/issues/2919
"""
html = """
<html>
<frame bar="PAYLOAD">
</html>
"""
context = get_context(html, 'PAYLOAD')[0]
self.assertFalse(context.is_executable())
def test_payload_onclick_payload_between_double_quotes(self):
html = """
<html>
<input type="button" onClick="foo('PAYLOAD'BREAK')">
</html>
"""
payload = "PAYLOAD'BREAK"
contexts = get_context(html, payload)
self.assertEqual(len(contexts), 1, contexts)
context = contexts[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertTrue(context.can_break())
def test_payload_js_doublequote(self):
html = """
<html>
<input type="button" value="ClickMe" onClick="PAYLOAD">
</html>
"""
payload = 'PAYLOAD'
contexts = get_context(html, payload)
self.assertEqual(len(contexts), 1, contexts)
context = contexts[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertTrue(context.is_executable())
self.assertFalse(context.can_break())
def test_style_comment_1(self):
html = """
<html>
<head>
<style>
/*
Hello %s world
* */
</style>
</head>
</html>
"""
payload = 'PAYLOAD*/:('
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, CSSText)
self.assertTrue(context.can_break())
def test_style_comment_1(self):
html = """
<html>
<head>
<style>
/*
Hello %s world
* */
</style>
</head>
</html>
"""
payload = 'PAYLOAD*/:('
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, CSSText)
self.assertTrue(context.can_break())
def test_payload_onclick_payload_no_quotes(self):
"""
In this case I'm already running code, if I would send alert(1) as
payload it would be run, so no need to escape from any string delimiter
such as " or '
"""
html = """
<html>
<input type="button" onClick="foo(PAYLOAD)">
</html>
"""
payload = 'PAYLOAD'
context = get_context(html, payload)[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertTrue(context.is_executable())
self.assertFalse(context.can_break())
def test_payload_wavsep_case17_frame_src(self):
"""
:see: http://127.0.0.1:8098/active/Reflected-XSS/
/RXSS-Detection-Evaluation-GET/
Case17-Js2PropertyJsScopeDoubleQuoteDelimiter
.jsp?userinput=dav%22id
"""
html = """
<html>
<frame name='frame2' id='frame2'
src='javascript:var name="PAYLOAD"BREAK"; alert(name);'>
</html>
"""
payload = 'PAYLOAD"BREAK'
context = get_context(html, payload)[0]
self.assertIsInstance(context, HtmlAttrSingleQuote)
self.assertTrue(context.can_break())
def test_payload_javascript_value(self):
"""
Test for false positive reported at
https://github.com/andresriancho/w3af/issues/13359
:return: Should not find a XSS
"""
payload = 'PAYLOAD:PAYLOAD'
html = """
<html>
<form>
<input type="text" name="test" value="%s">
<input type="submit">
</form>
</html>
"""
context = get_context(html % payload, payload)[0]
self.assertIsInstance(context, HtmlAttrDoubleQuote)
self.assertFalse(context.is_executable())
self.assertFalse(context.can_break())
