img src=1 onerror=alert(1)11
TRANSCRIPT
�---------------TEST CASE 00------------- // FAILED
var a = location.hash;b = a;b = "1";eval(b); // <---- SHOULD NOT BE RED
---------------TEST CASE 01------------- // PASS
var param = location.hash.split("#")[1];document.write("Hello " + param + "!");
---------------TEST CASE 02------------- // PASS
function timedMsg(callback){if(callback){var t=setTimeout(eval('callback'),3000);return 0;}}function fire(){var call = location.hash.split("#")[1];timedMsg(call);}
---------------TEST CASE 02B------------ // PASS
function timedMsg(callback){if(callback){var t=setTimeout(eval('callback'),3000);return 0;}}function fire(){var call = location.hash.split("#")[1];
var check=timedMsg;check(call);}
---------------TEST CASE 02C------------ // PASS
function timedMsg(abc,callback){
if(callback){
var t=setTimeout(eval('callback'),3000);
return 0;
}}
function fire(){
var call = location.hash.split("#")[1];
timedMsg(12,"call");
}
---------------TEST CASE 02D------------ // PASS
function timedMsg(abc,callback){
if(callback){
var t=setTimeout(eval('callback'),3000);
return 0;
}}
function fire(){
var call = location.hash.split("#")[1];
var check=timedMsg;
check("123",call);
}
---------------TEST CASE 03------------- // PASS
function go(){if (document.location.hash.split("#")[1]){document.location.replace(document.location.hash.split("#")[1]);}}
---------------TEST CASE 04------------- // PASS
var param = document.location.hash.split("#")[1];if (param){var d = document.createElement('div');d.innerHTML = param;if (document.body != null){document.body.appendChild(d);}}
---------------TEST CASE 05------------- // PASS
var redir = location.hash.split("#")[1];x = document.getElementById('anchor');x.setAttribute('href',redir);
---------------TEST CASE 06------------- // PASS
function reload() {var redir = location.hash.split("#")[1];if (redir){x = document.getElementsByTagName('iframe');x[0].setAttribute('src',redir);}}
---------------TEST CASE 07------------- // PASS
param = location.hash.split("#")[1];node = document.getElementById('mydiv');node.innerHTML=param;
---------------TEST CASE 08------------- // PASS
var doc=document;
var loc=location;
var url=loc.href;
eval(url);
---------------TEST CASE 09------------- // PASS
function simple(){
var loc=location.hash;
}
div.innerHTML=loc;
---------------TEST CASE 10A------------- // PASS
var obj = {
url: location,
fantasy: function() {
return this.url;
}
};
eval(obj.fantasy());
div.innerHTML=obj.fantasy();
---------------TEST CASE 10B------------- // PASSEDvar obj = {
url: location,
fantasy: function() {
return this.url;
}
};
eval(obj.fantasy); // <----- SHOULD NOT BE RED
div.innerHTML=obj.fantasy(); // <---- SHOULD BE RED
---------------TEST CASE 11A------------- // PASSED
var obj = {
url: location,
fruit: null
};
function loc() {
return this.url;
}
obj.fruit = loc;
eval(obj.fruit());
div.innerHTML=obj.fruit();
---------------TEST CASE 11B------------- // PASSED
var obj = {
url: location,
fruit: null
};
function loc() {
return this.url;
}
obj.fruit = loc;
eval(obj.fruit); // <----- SHOULD NOT BE RED
div.innerHTML=obj.fruit(); // <----- SHOULD BE RED
---------------TEST CASE 12------------- // PASS
var oracle = {eagle: eval};
var bond=location;
oracle.eagle(bond);
---------------TEST CASE 13A------------- // PASS
function xyz(asia){
return asia;
}
mango = location.hash;
div.innerHTML=xyz(mango);
---------------TEST CASE 13B------------- //PASSED
function xyz(asia){
return asia;
}
mango = location.hash;
yy = xyz; // <---- SHOULD BE PINK
div.innerHTML=yy(mango); // <---- SHOULD BE RED
---------------TEST CASE 13C------------- // PASS
function xyz(abc,asia){
return asia;
}
mango = location.hash;
div.innerHTML=xyz("123",mango);
---------------TEST CASE 13D------------- //PASSED
function xyz(abc,asia){
return asia;
}
mango = location.hash;
var yy = xyz; // <---- SHOULD BE PINK
div.innerHTML=yy("123",mango); // <---- SHOULD BE RED
---------------TEST CASE 14------------- // PASS
yahoo=location.href;
function run(disco){
eval(disco);
}
run(yahoo);
---------------TEST CASE 14B------------ // PASS
yahoo=location.href;
function run(disco){
eval(disco);
}
x=run;
z=x;
z(yahoo);
---------------TEST CASE 15------------- // PASS
var asia = {
europe: eval
}
asia.europe("location.hash");
asia.europe(location.hash);
---------------TEST CASE 15B------------- // PASS
var asia = {
europe: eval
}
var xy=asia.europe;
pqr=xy;
pqr("location.hash");
asia.europe(location.href);
---------------TEST CASE 16------------- // PASS
eval_alias=eval;
loc=location;
eval_alias(loc);
---------------TEST CASE 17------------- // PASS
function apple(fruit){
if(fruit.hasOwnProperty('innerHTML'))
return fruit.innerHTML;
}
yahoo=document.getElementsByTagName('div')[0];
mango=apple(yahoo);
mango=location.hash;
---------------TEST CASE 17B------------ // PASS
function apple(fruit){
if(fruit.hasOwnProperty('innerHTML'))
return fruit.innerHTML;
}
yahoo=document.getElementsByTagName('div');
mango=apple(yahoo[0]);
url = location.hash;
mango = "Hello" + url + "!";
---------------TEST CASE 17C------------ // PASS
function apple(fruit,cake){
fruit+="";
if(cake.hasOwnProperty('innerHTML'))
return cake.innerHTML;
}
yahoo=document.getElementsByTagName('div')[0];
berry="123";
mango=apple(berry,yahoo);
mango=location.hash;
---------------TEST CASE 17C------------ // FAILED
function apple(fruit,cake){
cake+=""; // <---- SOURCE CONVERTED TO STRING
if(cake.hasOwnProperty('innerHTML'))
return cake.innerHTML; // <--- STRING HAS NO innerHTML PROPERTY
}
yahoo=document.getElementsByTagName('div')[0];
berry=123;
mango=apple(berry,yahoo);
mango=location.hash; // <---- SHOULD NOT BE RED
---------------TEST CASE 17D------------ // PASS (KNOWN FALSE POSITIVE)
function apple(fruit){
if(fruit.hasOwnProperty('innerHTML'))
return fruit.innerText;
else
return fruit.innerHTML;
}
yahoo=document.getElementsByTagName('div')[0];
mango=apple(yahoo);
mango=location.hash;
---------------TEST CASE 18A------------- // PASSquora = {
zebra: function (apple) {
return this.yahoo(apple); }, yahoo: eval };
quora.zebra(location.hash);
---------------TEST CASE 18B------------- // PASSEDquora = {
zebra: function (apple) {
this.yahoo=apple; },
yahoo: div.innerHTML
};
quora.zebra(location.hash);
---------------TEST CASE 18C------------ // PASS
quora = {
zebra: function (apple) {
return this.yahoo(apple);
},
yahoo: eval
};
x=quora.zebra;
y=x;
y(location.hash);
---------------TEST CASE 18D------------ // PASSED
quora = {
zebra: function (apple) {
this.yahoo(apple);
},
yahoo: eval
};
x=quora.zebra;
y=x;
y(location.hash);
---------------TEST CASE 18E------------ // PASSED
quora = {
zebra: "text",
yahoo: function () {
this.benz=this.zebra; },
benz: div.innerHTML
};
quora.zebra=location.hash;quora.yahoo();
---------------TEST CASE 18F------------ // PASSED
quora = {
zebra: "text",
yahoo: function () {
return this.benz=this.zebra; },
benz: div.innerHTML
};
quora.zebra=location.hash;quora.yahoo();
---------------TEST CASE 19------------- // PASS
apple = { url: location };
banana = apple["url"];
carrot = {eclair: 1};
dodge=carrot;
dodge.eclair=banana;
eval(dodge.eclair);
---------------TEST CASE 20------------- // PASS
var url=location.hash;
(function (disco){
eval(disco);
}(url));
---------------TEST CASE 21------------- KNOWN FALSE POSITIVE
var test = {
innerHTML: 'hello'
};
test.innerHTML = location.href;
---------------TEST CASE 22A------------- // PASS
function template() { }
template.prototype = new Object;
template.prototype.exec = eval;
template.prototype.param = location.hash;
function clone() { }
clone.prototype = new template;
var xy = new clone();
xy.exec(xy.param);
---------------TEST CASE 22B------------- // PASS
function template() { }
template.prototype = new Object;
template.prototype.html = div.innerHTML;
template.prototype.param = location.hash;
function clone() { }
clone.prototype = new template;
var xy = new clone();
xy.html = xy.param;
===========================yseclabs DOM XSS Test Cases ===========================
---------------TEST CASE 01------------- // PASSED
function extract_location(obj) {
return obj['location'];
}
function extract_hash(obj) {
return obj['hash'];
}
document.write((function () {
return extract_hash(extract_location(document));
})())
---------------TEST CASE 02------------- // PASS
var s_rev = ')hsah.noitacol.tnemucod(etirw.tnemucod';
var s_script = s_rev.split("").reverse().join("");
eval(s_script);
---------------TEST CASE 03A------------- // PASSED
var escaped = encodeURIComponent(document.location.hash); // <--- SHOULD NOT HIGHLIGHT
document.write(escaped);
---------------TEST CASE 03B------------- // PASSED
var escaped = encodeURIComponent(document.location.hash);
document.write(decodeURIComponent(escaped)); // <---- SHOULD BE RED
---------------TEST CASE 03C------------- // PASSED
var escaped = encodeURIComponent(document.location.hash);
div.innerHTML = decodeURIComponent(escaped); // <--- SHOULD BE RED
---------------TEST CASE 04A------------- // PASS
function myfoo() {
return extract_hash(extract_location(document));
}
function extract_location(obj) {
return obj['location'];
}
function extract_hash(obj) {
return obj['hash'];
}
document.write(myfoo())
---------------TEST CASE 04B------------- //PASSED
function myfoo() {
return extract_hash(extract_location(document));
}
function extract_location(obj) {
return obj['location'];
}
function extract_hash(obj) {
return obj['hash'];
}
b = myfoo();
div.innerHTML = b;---------------TEST CASE 05A------------- // PASS
function myfoo() {
var x = document.location.hash + '';
return (function () {
return x;
})();
}
document.write(myfoo());
---------------TEST CASE 05B------------- // PASSED
function myfoo() {
var x = document.location.hash + '';
return (function () {
return x;
})();
}
div.innerHTML = myfoo();
---------------TEST CASE 05C------------- // PASSED
function myfoo() {
var x = document.location.hash + '';
return (function () {
return x;
})();
}
myfoo = alert;
document.write(myfoo());
---------------TEST CASE 06A------------- // PASS
function myfoo() {
return document.location.hash;
}
document.write(myfoo())
---------------TEST CASE 06B------------- // FAILED
function myfoo() {
return document.location.hash;
}
myfoo = alert;
div.innerHTML = myfoo(); // <---- SHOULD NOT BE RED
---------------TEST CASE 07------------- // PASSED
YUI({
filter: "raw",
combine: false
}).use("console", "escape", "node", function (Y) {
var ln = Y.one("#last_name")
var last_name = Y.Escape.html(document.location.hash);
console.log("Last Name:" + last_name);
ln.setHTML(last_name);
});
---------------TEST CASE 08------------- // PASS
var s_rev = ')hsah.noitacol.tnemucod(etirw.tnemucod';
var s_script = s_rev.split("").reverse().join("");
eval(s_script);