KNOXSS Add-on Test Page

=> Click on your add-on icon to turn it on for this domain and then navigate clicking
in one of the links below (except the ones marked with * which are in another domain).

Source-Based XSS Test Cases

Single Reflection

Case 01 - Direct URL Injection (no parameter)
Case 02 - Simple HTML Injection (a)
Case 03 - Inline HTML Injection with Double Quotes (b1)
Case 04 - Inline HTML Injection with Single Quotes (b2)
Case 05 - Inline HTML Injection with Double Quotes: No Tag Breaking (b3)
Case 06 - Inline HTML Injection with Single Quotes: No Tag Breaking (b4)
Case 07 - HTML Injection with Single Quotes in JS Block (c1)
Case 08 - HTML Injection with Double Quotes in JS Block (c2)
Case 09 - Simple JS Injection with Single Quotes (c3)
Case 10 - Simple JS Injection with Double Quotes (c4)
Case 11 - Escaped JS Injection with Single Quotes (c5)
Case 12 - Escaped JS Injection with Double Quotes (c6)
Case 13 - Simple XML Injection (p)

Multi Reflection (Pro Only)

Case 14 - Double Injection in HTML Context with Double Quotes
Case 15 - Double Injection in Mixed Context (HTML + JS) with Default Quotes
Case 16 - Quoteless Inline Double Injection in JS variables
Case 17 - Quoteless Inline Double Injection in JS object
Case 18 - Quoteless Inline Double Injection in JS object with Nested Array
Case 19 - Quoteless Inline Double Injection in JS object with Nested Function

Special Cases (Pro Only)

Case 20 - SQLi error-based HTML Injection *
Case 21 - PHP FILTER_VALIDATE_EMAIL Bypass HTML Injection

DOM-based XSS Test Cases

Case 22 - DOM Injection via URL parameter (by server + client)
Case 23 - DOM Injection via URL Parameter (Document Sink)
Case 24 - DOM Injection via Open Redirection (Location Sink)
Case 25 - DOM Injection via URL Parameter (Execution Sink)

Blind XSS Test Case

1. Navigate to the following page and wait for KNOXSS message of "Nothing found for FORM".

Stored Text - Attacker's Input

2. Open the victim's page simulating his/her access. An email with report will come to your inbox.

Stored Text - Victim's Triggering

Authenticated XSS Test Case

XSS After Login