脆弱性データの追加

type01/01-09/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/01-09/sink.js

@@ -0,0 +1,3 @@
+import { payload } from './source.js';
+
+document.write(payload);

type01/01-09/source.js

@@ -0,0 +1,3 @@
+var payload = document.baseURI;
+
+export { payload };

type01/02-09/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/02-09/sink.js

@@ -0,0 +1,13 @@
+import { payload } from './source.js';
+
+setTimeout(function () {
+    trigger(payload);
+}, 10);
+
+// Sync trigger.
+document.write(payload);
+
+// Async trigger.
+function trigger(payload) {
+    document.write(payload);
+}

type01/02-09/source.js

@@ -0,0 +1,21 @@
+/*
+* Return the value of the first cookie with the given name.
+*/
+function lookupCookie(name) {
+    var parts = document.cookie.split(/\s*;\s*/);
+    var nameEq = name + '=';
+    for (var i = 0; i < parts.length; i++) {
+        if (parts[i].indexOf(nameEq) == 0) {
+            return parts[i].substr(nameEq.length);
+        }
+    }
+}
+
+// Pre-seed the cookie, if it has not been set yet.
+if (!lookupCookie('badValue')) {
+    document.cookie = 'badValue="a"';
+}
+
+var payload = lookupCookie('badValue');
+
+export { payload };

type01/02-18/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/02-18/sink.js

@@ -0,0 +1,16 @@
+import { payload } from './source.js';
+
+setTimeout(function () {
+    trigger(payload);
+}, 10);
+
+var div = document.createElement('div');
+document.documentElement.appendChild(div);
+
+// Sync trigger.
+div.innerHTML = payload;
+
+// Async trigger.
+function trigger(payload) {
+    div.innerHTML = payload;
+};

type01/02-18/source.js

@@ -0,0 +1,21 @@
+/*
+* Return the value of the first cookie with the given name.
+*/
+function lookupCookie(name) {
+    var parts = document.cookie.split(/\s*;\s*/);
+    var nameEq = name + '=';
+    for (var i = 0; i < parts.length; i++) {
+        if (parts[i].indexOf(nameEq) == 0) {
+            return parts[i].substr(nameEq.length);
+        }
+    }
+}
+
+// Pre-seed the cookie, if it has not been set yet.
+if (!lookupCookie('badValue')) {
+    document.cookie = 'badValue="a"';
+}
+
+var payload = lookupCookie('badValue');
+
+export { payload };

type01/03-09/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/03-09/sink.js

@@ -0,0 +1,3 @@
+import { payload } from './source.js';
+
+document.write(payload);

type01/03-09/source.js

@@ -0,0 +1,3 @@
+var payload = document.documentURI;
+
+export { payload };

type01/04-09/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/04-09/sink.js

@@ -0,0 +1,13 @@
+import { payload } from './source.js';
+
+// Sync trigger.
+document.write(payload);
+
+setTimeout(function () {
+    trigger(payload);
+}, 10);
+
+// Async trigger.
+function trigger(payload) {
+    document.write(payload);
+}

type01/04-09/source.js

@@ -0,0 +1,8 @@
+if (document.referrer == "") {
+    // If the referrer is not set, we set the referrer by reloading the page.
+    location.href = location.href;
+} else {
+    var payload = document.referrer;
+}
+
+export { payload };

type01/04-12/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/04-12/sink.js

@@ -0,0 +1,13 @@
+import { payload } from './source.js';
+
+setTimeout(function () {
+    trigger(payload);
+}, 10);
+
+// Sync trigger.
+eval(payload);
+
+// Async trigger.
+function trigger(payload) {
+    eval(payload);
+};

type01/04-12/source.js

@@ -0,0 +1,8 @@
+if (document.referrer == "") {
+    // If the referrer is not set, we set the referrer by reloading the page.
+    location.href = location.href;
+} else {
+    var payload = document.referrer;
+}
+
+export { payload };

type01/04-18/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/04-18/sink.js

@@ -0,0 +1,16 @@
+import { payload } from './source.js';
+
+setTimeout(function () {
+    trigger(payload);
+}, 10);
+
+var div = document.createElement('div');
+document.documentElement.appendChild(div);
+
+// Sync trigger.
+div.innerHTML = payload;
+
+// Async trigger.
+function trigger(payload) {
+    div.innerHTML = payload;
+};

type01/04-18/source.js

@@ -0,0 +1,8 @@
+if (document.referrer == "") {
+    // If the referrer is not set, we set the referrer by reloading the page.
+    location.href = location.href;
+} else {
+    var payload = document.referrer;
+}
+
+export { payload };

type01/05-09/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/05-09/sink.js

@@ -0,0 +1,3 @@
+import { payload } from './source.js';
+
+document.write(payload);

type01/05-09/source.js

@@ -0,0 +1,3 @@
+var payload = document.URL;
+
+export { payload };

type01/06-09/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/06-09/sink.js

@@ -0,0 +1,3 @@
+import { payload } from './source.js';
+
+document.write(payload);

type01/06-09/source.js

@@ -0,0 +1,3 @@
+var payload = document.URLUnencoded;
+
+export { payload };

type01/07-12/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/07-12/sink.js

@@ -0,0 +1,16 @@
+import { payload } from './source.js';
+
+setTimeout(function () {
+    trigger(payload); // Using the async trigger.
+
+    // Clean up the localStorage to avoid causing side-effect on subsequent tests.
+    localStorage.clear();
+}, 10);
+
+// Sync trigger.
+eval(payload);
+
+// Async trigger.
+function trigger(payload) {
+    eval(payload);
+};

type01/07-12/source.js

@@ -0,0 +1,6 @@
+if (!localStorage['badValue']) {
+    localStorage['badValue'] = Math.random();
+}
+var payload = localStorage['badValue'];
+
+export { payload };

type01/08-09/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>

type01/08-09/sink.js

@@ -0,0 +1,16 @@
+import { payload } from './source.js';
+
+setTimeout(function () {
+    trigger(payload); // Using the async trigger.
+
+    // Clean up the localStorage to avoid causing side-effect on subsequent tests.
+    localStorage.clear();
+}, 10);
+
+// Sync trigger.
+document.write(payload);
+
+// Async trigger.
+function trigger(payload) {
+    document.write(payload);
+}

type01/08-09/source.js

@@ -0,0 +1,7 @@
+if (!localStorage.getItem('badValue')) {
+    localStorage.setItem('badValue', Math.random());
+}
+
+var payload = localStorage.getItem('badValue'); // Using sync trigger.
+
+export { payload };

type01/08-12/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>DOM Based XSS</title>
+</head>
+
+<body>
+    <script type="module" src="./sink.js"></script>
+</body>
+
+</html>