This is not an exhaustive list since there are variations of some of the following but here are the XSS cases currently covered by KNOXSS v3+ series.<\/p>\n
Also check how KNOXSS compares to other tools<\/a><\/strong> in these cases.<\/p>\n <\/p>\n Single Reflection Using QUERY of URL<\/strong><\/p>\n Case 01 - HTML Injection (a)<\/a> Single Reflection Using PATH of URL (\"friendly URLs\")<\/strong><\/p>\n Case 01 - HTML Injection Inline PHP_SELF<\/a> Multi Reflection<\/strong><\/p>\n Case 01 - Double Injection in HTML Context with Double Quotes<\/a> Special Cases<\/strong><\/p>\n Case 01 - HTML Injection with Double Encoded Bypass<\/a> SSRF-Based Cases (also Blind)<\/strong><\/p>\n Case 01 - XHTML Injection via File Rendering (Remote File Inclusion)<\/a><\/p>\n Case 01 - DOM Injection via URL Parameter (Document Sink)<\/a> Case 01 - JS Injection Sanitized in Source<\/a> Case 01 - CSP Bypass with Unsafe Inline Directive<\/a> Case 01 - HTML Injection via Cached Header Reflection (Varnish)<\/a><\/p>\n Case 01 - HTML Injection in Cookie-Based Authenticated Page<\/a><\/p>\n Directions for Testing<\/strong><\/p>\n 1. Feed KNOXSS with the following page to drop your Blind XSS payload.<\/p>\n Stored Text - Attacker's Input (click)<\/a><\/p>\n 2. Open the victim's page simulating his\/her access. An email with report will come to your inbox.<\/p>\n Stored Text - Victim's Triggering (click)<\/a><\/p>\n Case 01 - Client Side Open Redirect<\/a> This is not an exhaustive list since there are variations of some of the following but here are the XSS cases currently covered by KNOXSS v3+ series. Also check how KNOXSS compares to other tools in these cases. Source-Based XSS Test Cases Single Reflection Using QUERY of URL Case 01 – […]<\/p>\n","protected":false},"author":1,"featured_media":1460,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-766","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/knoxss.pro\/index.php?rest_route=\/wp\/v2\/pages\/766","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/knoxss.pro\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/knoxss.pro\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/knoxss.pro\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/knoxss.pro\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=766"}],"version-history":[{"count":45,"href":"https:\/\/knoxss.pro\/index.php?rest_route=\/wp\/v2\/pages\/766\/revisions"}],"predecessor-version":[{"id":3937,"href":"https:\/\/knoxss.pro\/index.php?rest_route=\/wp\/v2\/pages\/766\/revisions\/3937"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/knoxss.pro\/index.php?rest_route=\/wp\/v2\/media\/1460"}],"wp:attachment":[{"href":"https:\/\/knoxss.pro\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Source-Based XSS Test Cases<\/h3>\n
\nCase 02 - HTML Injection Inline with Double Quotes (b1)<\/a>
\nCase 03 - HTML Injection Inline with Single Quotes (b2)<\/a>
\nCase 04 - HTML Injection Inline with Double Quotes: No Tag Breaking (b3)<\/a>
\nCase 05 - HTML Injection Inline with Single Quotes: No Tag Breaking (b4)<\/a>
\nCase 04 - HTML Injection Inline with Double Quotes: No Tag Breaking on Input Hidden (b5)<\/a>
\nCase 05 - HTML Injection Inline with Single Quotes: No Tag Breaking on Input Hidden (b6)<\/a>
\nCase 08 - HTML Injection with Single Quotes in JS Block (c1)<\/a>
\nCase 09 - HTML Injection with Double Quotes in JS Block (c2)<\/a>
\nCase 10 - JS Injection with Single Quotes (c3)<\/a>
\nCase 11 - JS Injection with Double Quotes (c4)<\/a>
\nCase 12 - Escaped JS Injection with Single Quotes (c5)<\/a>
\nCase 13 - Escaped JS Injection with Double Quotes (c6)<\/a>
\nCase 14 - JS Injection In Event Handler (No Handler Breaking)<\/a>
\nCase 15 - JS Injection in Fully Validated Anchor (Href)<\/a>
\nCase 16 - XML Injection with CDATA and Comment Breakout (p, q & r)<\/a><\/p>\n
\nCase 02 - HTML Injection 1 Level Deep<\/a>
\nCase 03 - HTML Injection 2 Levels Deep<\/a>
\nCase 04 - HTML Injection 3 Levels Deep<\/a>
\nCase 05 - HTML Injection in Script Block 1 Level Deep<\/a>
\nCase 06 - HTML Injection in Script Block 2 Levels Deep<\/a>
\nCase 07 - HTML Injection in Script Block 3 Levels Deep<\/a>
\nCase 08 - JS Injection in Script Block 1 Level Deep<\/a>
\nCase 09 - JS Injection in Script Block 2 Levels Deep<\/a>
\nCase 10 - JS Injection in Script Block 3 Levels Deep<\/a><\/p>\n
\nCase 02 - Double Injection in Mixed Context (HTML + JS) with Default Quotes<\/a>
\nCase 03 - Quoteless Inline Double Injection in JS variables<\/a>
\nCase 04 - Quoteless Inline Double Injection in JS object<\/a>
\nCase 05 - Quoteless Inline Double Injection in JS object with Nested Array<\/a>
\nCase 06 - Quoteless Inline Double Injection in JS object with Nested Function<\/a><\/p>\n
\nCase 02 - HTML Injection with SQLi Error-Based *<\/a>
\nCase 03 - HTML Injection with PHP FILTER_VALIDATE_EMAIL Bypass<\/a>
\nCase 04 - HTML Injection with Strict-Length Input (32, 40 and 64 chars)<\/a>
\nCase 05 - HTML Injection with Strip-based Bypass (AFB)<\/a>
\nCase 06 - HTML Injection with Spell Checking Bypass<\/a>
\nCase 07 - HTML Injection with Base64 Encoded Input<\/a>
\nCase 08 - HTML Injection with Parameter Guessing (Server Side)<\/a>
\nCase 09 - HTML Injection with Parameter Guessing (Client Side)<\/a>
\nCase 10 - HTML Injection in Parameter Name<\/a>
\nCase 11 - Multi Context Injection with Bypass on Alpha-based Filter and JSON Encode Function (2 Different Entry Points)<\/a>
\nCase 12 - HTML Injection with CRLF in HTTP Header (Content-Type Replacement)<\/a>
\nCase 13 - HTML Injection with Byte Fallback (WAF Bypass in Java)<\/a><\/p>\nDOM-based XSS Test Cases<\/h3>\n
\nCase 02 - DOM Injection via Open Redirection (Location Sink)<\/a>
\nCase 03 - DOM Injection via URL Parameter (Execution Sink)<\/a>
\nCase 04 - DOM Injection via AJAX in URL Fragment (Document Sink)<\/a>
\nCase 05 - DOM Injection via AngularJS Library versions 1.6.0+<\/a>
\nCase 06 - DOM Injection via Bootstrap Library versions 4.0.0, 4.1.0 and 4.1.1<\/a>
\nCase 07 - DOM Injection via Attribute Value Bypassing Whitelist Filter (Wp_Kses)<\/a><\/p>\nHybrid XSS (Source + DOM) Test Cases<\/h3>\n
\nCase 02 - JS Injection with Single Quotes Fixing ReferenceError - Object Hoisting (also with Double Quotes and Escaped variations)<\/a>
\nCase 03 - JS Injection with Single Quotes Fixing ReferenceError - Hoisting Override (also with Double Quotes and Escaped variations, inline and multiline)<\/a><\/p>\nCSP Bypass Test Cases<\/h3>\n
\nCase 02 - CSP Bypass with Base URI Against Nonce-based Scripts<\/a>
\nCase 03 - CSP Bypass with Data URI Directive<\/a>
\nCase 04 - CSP Bypass with Whitelisted Endpoint (www.googleapis.com) via JSONP<\/a>
\nCase 05 - CSP Bypass with Whitelisted Endpoint (ajax.googleapis.com) via Library Inclusion (unsafe-eval)<\/a><\/p>\nStored XSS Test Cases<\/h3>\n
Authenticated XSS Test Cases<\/h3>\n
Blind XSS Test Case<\/h3>\n
Open Redirect<\/h3>\n
\nCase 02 - Server Side Open Redirect<\/a>
\nCase 03 - Client Side Open Redirect (Filtered Same Domain)<\/a>
\nCase 04 - Server Side Open Redirect (Filtered Same Domain)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"