smoketests/xssAttacks.php

   1 <?php
   2
   3 require_once('common.php');
   4
   5 function formatCode($string)
   6 {
   7     return
   8         str_replace(
   9             array("\t", '»', '\0(null)'),
  10             array('<strong>\t</strong>', '<span class="linebreak">»</span>', '<strong>\0</strong>'),
  11             escapeHTML(
  12                 str_replace("\0", '\0(null)',
  13                     wordwrap($string, 28, " »\n", true)
  14                 )
  15             )
  16         );
  17 }
  18
  19 ?><!DOCTYPE html
  20      PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  21      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  22 <html>
  23 <head>
  24     <title>HTML Purifier XSS Attacks Smoketest</title>
  25     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  26     <style type="text/css">
  27         .scroll {overflow:auto; width:100%;}
  28         .even {background:#EAEAEA;}
  29         thead th {border-bottom:1px solid #000;}
  30         pre strong {color:#00C;}
  31         pre .linebreak {color:#AAA;font-weight:100;}
  32     </style>
  33 </head>
  34 <body>
  35 <h1>HTML Purifier XSS Attacks Smoketest</h1>
  36 <p>XSS attacks are from
  37 <a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p>
  38 <p><strong>Caveats:</strong>
  39 <tt>Google.com</tt> has been programatically disallowed, but as you can
  40 see, there are ways of getting around that, so coverage in this area
  41 is not complete. Most XSS broadcasts its presence by spawning an alert dialogue.
  42 The displayed code is not strictly correct, as linebreaks have been forced for
  43 readability. Linewraps have been marked with <tt>»</tt>.  Some tests are
  44 omitted for your convenience. Not all control characters are displayed.</p>
  45
  46 <h2>Test</h2>
  47 <?php
  48
  49 if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>');
  50
  51 $xml = simplexml_load_file('xssAttacks.xml');
  52
  53 // programatically disallow google.com for URI evasion tests
  54 // not complete
  55 $config = HTMLPurifier_Config::createDefault();
  56 $config->set('URI.HostBlacklist', array('google.com'));
  57 $purifier = new HTMLPurifier($config);
  58
  59 ?>
  60 <table cellspacing="0" cellpadding="2">
  61 <thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
  62 <tbody>
  63 <?php
  64
  65 $i = 0;
  66 foreach ($xml->attack as $attack) {
  67     $code = $attack->code;
  68
  69     // custom code for null byte injection tests
  70     if (substr($code, 0, 7) == 'perl -e') {
  71         $code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i);
  72         $code = str_replace('\0', "\0", $code);
  73     }
  74
  75     // disable vectors we cannot test in any meaningful way
  76     if ($code == 'See Below') continue; // event handlers, whitelist defeats
  77     if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript
  78     if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response
  79
  80     // custom code for US-ASCII, which couldn't be expressed in XML without encoding
  81     if ($attack->name == 'US-ASCII encoding') $code = urldecode($code);
  82 ?>
  83     <tr<?php if ($i++ % 2) {echo ' class="even"';} ?>>
  84         <td><?php echo escapeHTML($attack->name); ?></td>
  85         <td><pre><?php echo formatCode($code); ?></pre></td>
  86         <?php $pure_html = $purifier->purify($code); ?>
  87         <td><pre><?php echo formatCode($pure_html); ?></pre></td>
  88         <td><div class="scroll"><?php echo $pure_html ?></div></td>
  89     </tr>
  90 <?php
  91 }
  92
  93 ?>
  94 </tbody>
  95 </table>
  96 </body>
  97 </html>
  98 <?php
  99
 100 // vim: et sw=4 sts=4