tests/resources/referer-xss.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

Manual regression test procedure for XSS referer
================================================
1. set in the config.ini.php
[Tracker]
visit_standard_length = 1
enable_detect_unique_visitor_using_settings = 0

[Debug]
always_archive_data = 1

2. go to /misc/testJavascriptTracker/ and fake the referer using, eg. RefControl options Firefox extension
http://www.google.co.uk/search?hl=en&q=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
http://example.com/';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
http://example.com/&quot;&lt;script&gt;alert(''test'');&lt;/script&gt;
http://example3.com/test>"'><script>alert('XSS')</script>
http://example.com/"><script>alert('yo')</script>
http://example.com/&quot;&gt;&lt;script&gt;alert(''hi'')&lt;/script&gt;
localhost&lt;script&gt;alert(''test'')&lt;', 'http://localhost&lt;script&gt;alert(''test'')&lt;/script&gt;/test&lt;script&gt;alert(''test'')&lt;/script&gt;

3. go to Piwik UI, and check that in referer everything looks as expected (no parse error, etc.)