By Brute Logic
Research & Development in Offensive Security.

 

Back to Top
x

KNOXSS Coverage

This is not an exhaustive list since there are variations of some of the following cases but here are the XSS cases currently covered by KNOXSS v3.2 series:

Source-Based XSS Test Cases

Single Reflection Using QUERY of URL

Case 01 - HTML Injection (a)
Case 02 - HTML Injection Inline with Double Quotes (b1)
Case 03 - HTML Injection Inline with Single Quotes (b2)
Case 04 - HTML Injection Inline with Double Quotes: No Tag Breaking (b3)
Case 05 - HTML Injection Inline with Single Quotes: No Tag Breaking (b4)
Case 06 - HTML Injection with Single Quotes in JS Block (c1)
Case 07 - HTML Injection with Double Quotes in JS Block (c2)
Case 08 - JS Injection with Single Quotes (c3)
Case 09 - JS Injection with Double Quotes (c4)
Case 10 - Escaped JS Injection with Single Quotes (c5)
Case 11 - Escaped JS Injection with Double Quotes (c6)
Case 12 - JS Injection In Event Handler (No Handler Breaking)
Case 13 - JS Injection in Fully Validated Anchor (Href)
Case 14 - XML Injection with CDATA and Comment Breakout (p, q & r)

Single Reflection Using PATH of URL ("friendly URLs")

Case 01 - HTML Injection Inline PHP_SELF
Case 02 - HTML Injection 1 Level Deep
Case 03 - HTML Injection 2 Levels Deep
Case 04 - HTML Injection 3 Levels Deep
Case 05 - HTML Injection in Script Block 1 Level Deep
Case 06 - HTML Injection in Script Block 2 Levels Deep
Case 07 - HTML Injection in Script Block 3 Levels Deep
Case 08 - JS Injection in Script Block 1 Level Deep
Case 09 - JS Injection in Script Block 2 Levels Deep
Case 10 - JS Injection in Script Block 3 Levels Deep

Multi Reflection

Case 01 - Double Injection in HTML Context with Double Quotes
Case 02 - Double Injection in Mixed Context (HTML + JS) with Default Quotes
Case 03 - Quoteless Inline Double Injection in JS variables
Case 04 - Quoteless Inline Double Injection in JS object
Case 05 - Quoteless Inline Double Injection in JS object with Nested Array
Case 06 - Quoteless Inline Double Injection in JS object with Nested Function

Special Cases

Case 01 - HTML Injection with Double Encoded Bypass
Case 02 - HTML Injection with SQLi Error-Based *
Case 03 - HTML Injection with PHP FILTER_VALIDATE_EMAIL Bypass
Case 04 - HTML Injection with Strict-Length Input (32, 40 and 64 chars)
Case 05 - HTML Injection with Strip-based Bypass (AFB)
Case 06 - HTML Injection with Spell Checking Bypass
Case 07 - HTML Injection with Base64 Encoded Input
Case 08 - HTML Injection with Parameter Guessing
Case 09 - HTML Injection in Parameter Name
Case 10 - Multi Context Injection with Bypass on Alpha-based Filter and JSON Encode Function (2 Different Entry Points)
Case 11 - HTML Injection with CRLF in HTTP Header (Content-Type Replacement)
Case 12 - HTML Injection with Byte Fallback (WAF Bypass in Java)

DOM-based XSS Test Cases

Case 01 - DOM Injection via URL Parameter (Document Sink)
Case 02 - DOM Injection via Open Redirection (Location Sink)
Case 03 - DOM Injection via URL Parameter (Execution Sink)
Case 04 - DOM Injection via AJAX in URL Fragment (Document Sink)
Case 05 - DOM Injection via AngularJS Library versions 1.6.0+
Case 06 - DOM Injection via Bootstrap Library versions 4.0.0, 4.1.0 and 4.1.1

Hybrid XSS (Source + DOM) Test Cases

Case 01 - JS Injection Sanitized in Source
Case 02 - JS Injection with Single Quotes Fixing ReferenceError - Object Hoisting (also with Double Quotes and Escaped variations)
Case 03 - JS Injection with Single Quotes Fixing ReferenceError - Hoisting Override (also with Double Quotes and Escaped variations, inline and multiline)

CSP Bypass Test Cases

Case 01 - CSP Bypass with Unsafe Inline Directive
Case 02 - CSP Bypass with Base URI Against Nonce-based Scripts
Case 03 - CSP Bypass with Data URI Directive
Case 04 - CSP Bypass with Whitelisted JSONP Endpoint (googleapis.com)

Stored XSS Test Cases

Case 01 - HTML Injection via Cached Header Reflection (Varnish)

Authenticated XSS Test Cases

Case 01 - HTML Injection in Cookie-Based Authenticated Page

Blind XSS Test Case

Directions for Testing

1. Feed KNOXSS with the following page to drop your Blind XSS payload.

Stored Text - Attacker's Input (click)

2. Open the victim's page simulating his/her access. An email with report will come to your inbox.

Stored Text - Victim's Triggering (click)