XSS in eXceSS - By Kishor.

First page in the world that is proud to have XSS on it!

Solutions

Inject into title PARAM: title

PARAM: freehtml__INPUT__

PARAM: asq<img src='__INPUT__' alt='image tag injection'>

PARAM: adq<img src="__INPUT__" alt="image tag injection">

PARAM: abt<img src=`__INPUT__` alt="image tag injection">

PARAM: fa<img src=__INPUT__img alt="image tag injection">

PARAM: bat<a href='http://wasjournal.blogspot.com' __INPUT__>Kishor</a>
Kishor

PARAM: fse<script type="text/javascript">
__INPUT__
</script>

PARAM: svsq<script type='text/javascript'>
var i = 'Welocome __INPUT__';
//do something with i
</script>

PARAM: svdq<script type="text/javascript">
var i = "Welocome __INPUT__";
//do something with i
</script>

PARAM: sac<script type="text/javascript">
var users = {};
users.__INPUT__oo7 = true;
//do something with users array
</script>

PARAM: spvc1<script type="text/javascript">
var users = {attribute: "__INPUT__"};
//do something with users array
</script>

PARAM: spvc2<script type='text/javascript'>
var users = {attribute: '__INPUT__'};
//do something with users array
</script>

PARAM: spvc3<script type="text/javascript">
var users = {attribute: __INPUT__7};
//do something with users array
</script>

PARAM: ssac1<script type='text/javascript'>
var users = ['one', 'two', '__INPUT__'];
//do something with users array
</script>

PARAM: ssac2<script type="text/javascript">
var users = ["one", "two", "__INPUT__"];
//do something with users array
</script>

PARAM: ssac3<script type="text/javascript">
var users = [1, 2, __INPUT__7];
//do something with users array
</script>

PARAM: sno1<script type="text/javascript">
var total = 36;
total = total + __INPUT__7;
</script>

PARAM: sno2<script type="text/javascript">
var total = 36;
total += __INPUT__7;
</script>

PARAM: sc1<script type="text/javascript">
var total = 36;
//__INPUT__;
</script>

PARAM: sc2<script type="text/javascript">
var total = 36;
/*__INPUT__*/;
</script>

PARAM: sc3<script type="text/javascript">
var total = 36;
/*
__INPUT__
*/;
</script>

PARAM: ta<textarea rows='1' cols='50'>
Your input=__INPUT__
</textarea>

PARAM: ns This is interesting. Whatever tag you put inside noscript
is not executed! (Unless you come out of noscript)
<noscript>
Please enable script and click <a href=./scriptcheck.php?name=__INPUT__>here</a>
</noscript>

This is interesting. Whatever tag you put inside noscript is not executed! (Unless you come out of noscript)

PARAM: ssi1<style type='text/css'>
body {
background-image: url('__INPUT__');
}
</style>

PARAM: ssi2<style type='text/css'>
body {
background-color: #F5F5F5__INPUT__;
}
</style>

PARAM: ssi3<style type='text/css'>
__INPUT__
</style>

PARAM: he1<code onmouseover='__INPUT__'> ABCDEFGHI </code>
ABCDEFGHI

PARAM: he2<code onmouseover="alert('Similar to Yahoo! 0day by Hong __INPUT__'); return true;"> ABCDEFGHI </code>
ABCDEFGHI

PARAM: bbcConvert http://mail.yahoo.com/ like url to
to <a href='http://mail.yahoo.com/'> http://mail.yahoo.com/ </a>
input a URL...

__INPUT__
Convert http://mail.yahoo.com/ like url to to http://mail.yahoo.com/ input a URL...

List of all parameters

Here is the list of all params for your Scanner
freehtml=&asq=&adq=&abt=&fa=&bat=&fse=&svsq=&svdq=&sac=&spvc1=&spvc2=&spvc3=&ssac1=&ssac2=&ssac3=&sno1=&sno2=&sc1=&sc2=&sc3=&ta=&ns=&ssi1=&ssi2=&ssi3=&he1=&he2=&bbc=&
total=29

About:

XSS in eXceSS - an XSS playground. By Kishor

This page tries to simulate various conditions in which user input may get
reflected on an HTML page by server side scripts. This page possibly
contains far-fetched, over-stretched :) XSS scenarios. But possibility of
these scenarios can not be denied given the nature and variety of web
application development techniques. Every developer may think differently
and thus user input can potentially go ANYWHERE on your page. Purpose of
this script is to let developers test their XSS scanners, IDS systems etc.
This should be a good way of learning to 'break' into HTML using various
ways. I have tried to include most of the scenarios I could think of. And
I'm onfident that coupling IDS with this script will multiply the number
of test cases. But any additional inputs are welcome and possibly there are
hundreds of them. Remember, if this script is coupled with an IDS, the IDS
should be able to block ALL XSS. Because user input can be reflected ANYWHERE ;).

Thanks to Mario for hosting the script.

How To Use:

Using this tool is simple! Each XSS case is divided into different sections.
Each section specifies the parameter which is to be attacked in order to enter
that section. E.g. If PARAM: freehtml, you will add a GET parameter
freehtml=ATTACK_VECTOR to the URL. Each section also shows the place where your
input goes (using __INPUT__ placeholder). If you are using an XSS
scanner, list of all parameters is available here.

In order to multiply the number of XSS scenarios, a new parameter has been
introduced. If you inject a <script> tag for example, you will see 2 IDS
rules at the top that block your attack. Each rule has an ID which is an integer.
You can ask the page to skip these two filtering rules by spicifying a comma
separated list in 'skiprules' parameter. e.g. skiprules=18,22

There is an easier way to make injections, using the forms provided in each
section. Please enable popups in order to use this option.

If your injection is blocked by a filter that you want to skip, press the
'Disable This Filter' button in the popup window. Then press 'eXSploit' button
in the main window.

Solutions:

  I've been a bit lazy when writing the solutions.
  These can be found here.
  Each solutions consists of the field name, injection string and optionally the filters to skip