EnDeUser.xml

<?xml version="1.0"?>
<!--
#? NAME
#?      EnDeUser.xml - menu for user defined nested functions
#?
#? SYNOPSIS
#?      EnDeGUI.js expects EnDeUser.xml to contain user-defined functions.
#?
#? USAGE
#?      Copy this file to the ./usr/ directory and make your changes there.
#?
#?      ** please add you own functions below **
#?
#? DESCRIPTION
#?      List of function for Functions window.
#?
#?      Each  <attack />  scope describes one menu entry as follows:
#?
#?         <label>   - a unique label, used to group functions in SELECT menu
#?         <name>    - descriptive name used in SELECT->OPTION menu
#?         <code>    - code to be added to Functions textarea
#?         <desc>    - descriptive text used in SELECT->OPTION's title= attribute
#?
#? LIMITATIONS
#?      Examples herein are used as is. In particular EnDeGUI dos not honor the
#?      "[] value"  checkbox in the Functions window for the texts herein.
#?
# HACKER's INFO
#       All code examples rely on existance of  $()  function, which must be:
#          function $(id) { return document.getElementById(id); }
#?
#? SEE ALSO
#?      EnDeUser.js
#?      EnDeText.js
#?      EnDeGUI.js
#?
#? VERSION
#?      @(#) EnDeUser.xml 4.5 20/12/14 11:45:30
#?
#? AUTHOR
#?      10-10-08 Achim Hoffmann, mailto: EnDe (at) my (dash) stp (dot) net
# =============================================================================
  -->
<xss>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>base64/hex</name>
        <desc>first base64 encode text, then hex encode each character</desc>
        <code><![CDATA[
EnDe.EN.dispatch(
  "hex2",
  "lazy",
  true,
  ""+EnDe.EN.dispatch("base64","lazy",false,$('EnDeDOM.EN.text').value,'','',''),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>base64/URL encode</name>
        <desc>first base64 encode text, then URL encode</desc>
        <code><![CDATA[
EnDe.EN.dispatch(
  "urlCHR",
  "lazy",
  false,
  ""+EnDe.EN.dispatch("base64","lazy",false,$('EnDeDOM.EN.text').value,'','',''),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>double URL/URL encode</name>
        <desc>first URL-encode text, then URL encode again (for mixed double encoding)</desc>
        <code><![CDATA[
EnDe.EN.dispatch(
  'urlCHR',
  'lazy',
  false,
  ''+EnDe.EN.dispatch('urlCHR','lazy',false,$('EnDeDOM.EN.text').value,'','',''),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>tripple URL/URL encode</name>
        <desc>URL-encode text three times (for mixed tripple encoding)</desc>
        <code><![CDATA[
EnDe.EN.dispatch(
  'urlCHR',
  'lazy',
  false,
  ''+EnDe.EN.dispatch('urlCHR','lazy',false,
    ''+EnDe.EN.dispatch('urlCHR','lazy',false,$('EnDeDOM.EN.text').value,'','',''),
    '','',''),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>octal/URL encode</name>
        <desc>first encode octal values then URL-encode text, then </desc>
        <code><![CDATA[
EnDe.EN.dispatch(
  "urlCHR",
  "lazy",
  false,
  ""+EnDe.EN.dispatch(
    "oct3",
    "lazy",
    false,
    $('EnDeDOM.EN.text').value,
    $('EnDeDOM.API.prefix').value,
    $('EnDeDOM.API.suffix').value,
    $('EnDeDOM.API.delimiter').value
  ),
  $('EnDeDOM.API.prefix').value,
  $('EnDeDOM.API.suffix').value,
  $('EnDeDOM.API.delimiter').value
)
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>MySQL/char</name>
        <desc>first decimal encode text, then enclose with MySQL char() function</desc>
        <code><![CDATA[
EnDe.EN.dispatch("dez2","lazy",true,$('EnDeDOM.EN.text').value,'','',',').replace(/^/,'char(').replace(/$/,')')
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>Oracle/CHR</name>
        <desc>first decimal encode text, then enclose with Oracle CHR() function</desc>
        <code><![CDATA[
EnDe.EN.dispatch("dez2","lazy",true,$('EnDeDOM.EN.text').value,'','',',').replace(/^/,'CHR(').replace(/$/,')')
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>MySQL/Oracle CONCAT</name>
        <desc>concat characters of strings with CONCAT() function</desc>
        <code><![CDATA[
EnDe.EN.dispatch("copy","lazy",true,$('EnDeDOM.EN.text').value,"","","").split('').join("','").replace(/(.*)/,"CONCAT('$1')")
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>Oracle ||</name>
        <desc>concat characters of strings with Oracle || function</desc>
        <!-- same as En-/Decoding->Straight Character in "User Api Options", but more complicated ;-) -->
        <code><![CDATA[
EnDe.EN.dispatch("copy","lazy",true,$('EnDeDOM.EN.text').value,"","","").split('').join("'||'").replace(/(.*)/,"'$1'")
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>MSQL +</name>
        <desc>concat characters of strings with MSQL + function</desc>
        <!-- same as En-/Decoding->Straight Character in "User Api Options", but more complicated ;-) -->
        <code><![CDATA[
EnDe.EN.dispatch("copy","lazy",true,$('EnDeDOM.EN.text').value,"","","").split('').join("'+'").replace(/(.*)/,"'$1'")
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>APEX-style encode</name>
        <desc>first URL-encode each paramter, then join them with : </desc>
        <code><![CDATA[
EnDe.EN.dispatch(
  "urlCHR",
  "lazy",
  $('EnDeDOM.API.uppercase').checked,
  $('EnDeDOM.EN.text').value
    .replace(/\t/g, '@@MASK_TAB@@') /* prevent TABs to be URL-encoded */
    .replace(/\/\*\s*EnDe-Separator__do_not_remove_this_line.*\*\//g, '@@MASK_BAR@@') /* prevent colons to be URL-encoded */
    .replace(/^ /mg,'') /* remove leading spaces */
    .replace(/\n/g, '') /* remove NL */
  ,
  "",
  "",
  ""
)
.replace(/[!/='#+*~;.:]/g,function(a){return "%"+a.charCodeAt(0).toString(16)}) /* URL-encode all non-letters */
.replace(/@@MASK_TAB@@/g, '=') /* insert masked = */
.replace(/@@MASK_BAR@@/g, ':') /* insert masked | */
.replace(/@/g, '%40')          /* finnaly URL-encode @ */
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>DWR-style encode</name>
        <desc>first URL-encode each paramter, then join them with = </desc>
        <code><![CDATA[
$('EnDeDOM.EN.text').value
.replace(/\t/g, '@@MASK_TAB@@') /* prevent TABs to be URL-encoded */
.replace(/[!/='#+*~;.]/g,function(a){return "%"+a.charCodeAt(0).toString(16)}) /* URL-encode all non-letters */
.replace(/@@MASK_TAB@@/g, '=') /* insert masked = */
    ]]></code>
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>GWT-style encode</name>
        <desc>first URL-encode each paramter, then join them with | </desc>
        <code><![CDATA[
EnDe.EN.dispatch(
  "urlCHR",
  "lazy",
  $('EnDeDOM.API.uppercase').checked,
  $('EnDeDOM.EN.text').value
    .replace(/\t/g, '@@MASK_TAB@@') /* prevent TABs to be URL-encoded */
    .replace(/\/\*\s*EnDe-Separator__do_not_remove_this_line.*\*\//g, '@@MASK_BAR@@') /* prevent BARs to be URL-encoded */
    .replace(/^ /mg,'') /* remove leading spaces */
    .replace(/\n/g, '') /* remove NL */
  ,
  "",
  "",
  ""
)
.replace(/[!/='#+*~,;:]/g,function(a){return "%"+a.charCodeAt(0).toString(16)}) /* URL-encode all non-letters */
.replace(/@@MASK_TAB@@/g, '=') /* insert masked = */
.replace(/@@MASK_BAR@@/g, '|') /* insert masked | */
.replace(/@/g, '%40')          /* finnaly URL-encode @ */
    ]]></code>
    </attack>
<!--
  /* more restrictive: */
.replace(/[!/()='#+*~,;.:-]/g,function(a){return "%"+a.charCodeAt(0).toString(16)}) /* URL-encode all non-letters */
-->

    <attack>
        <label>Encoding User Functions ..</label>
        <name>JWT-style encode (JSON Web Toolkit)</name>
        <desc>first base64-encode each paramter, then join them with . </desc>
        <code><![CDATA[
var sig = $('EnDeDOM.EN.text').value.split('\nEnDe-Separator__do_not_remove_this_line\n')[2];
/* only base64 encode signature if it was base64 encoded */
var is64=($('EnDeDOM.EN.text').value.split('\nEnDe-Separator__do_not_remove_this_line\n')[3].match(/=true/)!==null) ? true : false;
  $('EnDeDOM.EN.text').value.split('\nEnDe-Separator__do_not_remove_this_line\n')[0],
EnDe.EN.dispatch(
  "base64",
  "lazy",
  $('EnDeDOM.API.uppercase').checked,
  $('EnDeDOM.EN.text').value.split('\nEnDe-Separator__do_not_remove_this_line\n')[0],
  "","","").replace(/=/mg,'') + '.' +
EnDe.EN.dispatch(
  "base64",
  "lazy",
  $('EnDeDOM.API.uppercase').checked,
  $('EnDeDOM.EN.text').value.split('\nEnDe-Separator__do_not_remove_this_line\n')[1],
  "","","").replace(/=/mg,'') + '.' +
  ((is64===false) ? sig : EnDe.EN.dispatch("base64","lazy",$('EnDeDOM.API.uppercase').checked,sig,"","","").replace(/=/mg,''));
    ]]></code>
	<!-- above is a lazy approach because: -->
	<!-- * JWT's base64 encoding may miss padding characters, need to be removed -->
	<!-- * JWT's base64 encoded signature uses "Base64 SAP (-_ instead of +/) -->
	<!-- * JWT's base64 encoded signature needs a salt (not yet implemented)  -->
    </attack>

    <attack>
        <label>Encoding User Functions ..</label>
        <name>JSON-decoded Base64</name>
        <desc>remove literal \r and \n then replace any \x by X</desc>
        <code><![CDATA[
/* for JSON, BASE64 data contains literal \r \n and \/ 
 * converts to BASE64 with literal \r \n and \/
*/
$('EnDeDOM.EN.text').value.replace(/\//g, '\\/').replace(/\r/g, '\\r').replace(/\n/g, '\\n')
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>hex/base64</name>
        <desc>first decode hex charactersm then decode base64</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  "base64",
  "lazy",
  true,
  ""+EnDe.DE.dispatch("hexCHR","lazy",false,$('EnDeDOM.DE.text').value,'','',''),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>URL/base64 decode</name>
        <desc>first URL-decode text, then base64 decode</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  "base64",
  "lazy",
  false,
  ""+EnDe.DE.dispatch("urlCHR","lazy",false,$('EnDeDOM.DE.text').value,'','',''),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>double URL/URL decode</name>
        <desc>first URL-decode text, then URL decode again (for mixed double encoding)</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  'urlCHR',
  'lazy',
  false,
  ''+EnDe.DE.dispatch('urlCHR','lazy',false,$('EnDeDOM.DE.text').value,'','',''),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>tripple URL/URL decode</name>
        <desc>URL-decode text three times (for mixed tripple encoding)</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  'urlCHR',
  'lazy',
  false,
  ''+EnDe.DE.dispatch('urlCHR','lazy',false,
    ''+EnDe.DE.dispatch('urlCHR','lazy',false,$('EnDeDOM.DE.text').value,'','',''),
    '','',''),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>double \xHH/URL decode</name>
        <desc>first replace \x by %, then URL-decode text, then URL decode again (for mixed double encoding)</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  'urlCHR',
  'lazy',
  false,
  ''+EnDe.DE.dispatch('urlCHR','lazy',false,
    $('EnDeDOM.DE.text').value.replace(/\\x/g,'%'),'','',''),

  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>URL/octal decode</name>
        <desc>first URL-decode text, then decode octal values</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  "oct3",
  "lazy",
  false,
  ""+EnDe.DE.dispatch(
    "urlCHR",
    "lazy",
    false,
    $('EnDeDOM.DE.text').value,
    $('EnDeDOM.API.prefix').value,
    $('EnDeDOM.API.suffix').value,
    $('EnDeDOM.API.delimiter').value
  ),
  $('EnDeDOM.API.prefix').value,
  $('EnDeDOM.API.suffix').value,
  $('EnDeDOM.API.delimiter').value
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>fuzzy decoding</name>
        <desc>try to decode obfuscated text</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  "fuzURLsq",
  "lazy",
  false,
  ""+EnDe.DE.dispatch(
    "fuzHEXsq",
    "lazy",
    false,
    ""+EnDe.DE.dispatch(
      "fuzOCTsq",
      "lazy",
      false,
      $('EnDeDOM.DE.text').value.replace(/[\n\r]/g,''),
      $('EnDeDOM.API.prefix').value,
      $('EnDeDOM.API.suffix').value,
      $('EnDeDOM.API.delimiter').value
    ),
    $('EnDeDOM.API.prefix').value,
    $('EnDeDOM.API.suffix').value,
    $('EnDeDOM.API.delimiter').value
  ),
  $('EnDeDOM.API.prefix').value,
  $('EnDeDOM.API.suffix').value,
  $('EnDeDOM.API.delimiter').value
)
    ]]></code>
    </attack>

    <attack>
<!-- // ToDo: not yet working! -->
        <label>Decoding User Functions ..</label>
        <name>fuzzy decoding evaluated</name>
        <desc>try to decode obfuscated text and then use JavaScript's eval()</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  "JSeval",
  "lazy",
  false,
  ""+EnDe.DE.dispatch(
    "fuzURLsq",
    "lazy",
    false,
    ""+EnDe.DE.dispatch(
      "fuzHEXsq",
      "lazy",
      false,
      ""+EnDe.DE.dispatch(
        "fuzOCTsq",
        "lazy",
        false,
        $('EnDeDOM.DE.text').value.replace(/[\n\r]/g,''),
        $('EnDeDOM.API.prefix').value,
        $('EnDeDOM.API.suffix').value,
        $('EnDeDOM.API.delimiter').value
      ),
      $('EnDeDOM.API.prefix').value,
      $('EnDeDOM.API.suffix').value,
      $('EnDeDOM.API.delimiter').value
    ),
    $('EnDeDOM.API.prefix').value,
    $('EnDeDOM.API.suffix').value,
    $('EnDeDOM.API.delimiter').value
    ),
  '',
  '',
  ''
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>APEX-style decode, full split</name>
        <desc>split parameters on :, then URL-decode text</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  "urlCHR",
  "lazy",
  false,
  $('EnDeDOM.DE.text').value
	.replace(/[\r\n]/g,'') /* \r and \n are removed to avoid problems C&Ped texts */
	.replace(/=/g,'\t')    /* replace = by TAB */
	.replace(/[:]/g,'\n/* EnDe-Separator__do_not_remove_this_line: : */\n'), /* replace separator by unique comment */
  '',
  '',
  ''  
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>DWR-style decode, full split</name>
        <desc>split parameters on =, then URL-decode text</desc>
        <code><![CDATA[
EnDe.DE.dispatch(
  "urlCHR",
  "lazy",
  false,
  $('EnDeDOM.DE.text').value
	.replace(/^([^=]*)/mg, function(a){return a+'\t';}),  /* replace first = by TAB */
  '',
  '',
  ''  
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>GWT-style decode, lazy (with XML)</name>
        <desc>first URL-decode text but leave | as %7C, then pretty print XML</desc>
		<!-- leaving | encoded is usefull if string should be split
		     on  |  later for GWT parsing -->
        <code><![CDATA[
EnDe.Form.dispatch(
  "XMLFormat",
  "lazy",
  ""+EnDe.DE.dispatch(
    "urlCHR",
    "lazy",
    false,
    $('EnDeDOM.DE.text').value.replace(/[\r\n]/g,''), /* \r and \n are removed to allow C&P */
    '',
    '',
    ''
  ).replace(/[|]/g,'%7C'),
  true,
  5
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>GWT-style decode, full (with XML)</name>
        <desc>first URL-decode text, then pretty print XML</desc>
        <code><![CDATA[
EnDe.Form.dispatch(
  "XMLFormat",
  "lazy",
  ""+EnDe.DE.dispatch(
    "urlCHR",
    "lazy",
    false,
    $('EnDeDOM.DE.text').value.replace(/[\r\n]/g,''), /* \r and \n are removed to allow C&P */
    '',
    '',
    ''
  ),
  true,
  2 /* not used */
)
    ]]></code>
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>GWT-style decode, full split (with XML)</name>
        <desc>split parameters on |, then URL-decode text and pretty print XML</desc>
        <code><![CDATA[
EnDe.Form.dispatch(
  "XMLFormat",
  "lazy",
  ""+EnDe.DE.dispatch(
    "urlCHR",
    "lazy",
    false,
    $('EnDeDOM.DE.text').value
	.replace(/[\r\n]/g,'') /* \r and \n are removed to avoid problems C&Ped texts */
	.replace(/=/g,'\t')    /* replace = by TAB */
	.replace(/[|]/g,'\n/* EnDe-Separator__do_not_remove_this_line: | */\n'), /* replace separator by unique comment */
    '',
    '',
    ''  
  ),
  true,
  2 /* not used */
)    
    ]]></code>
	<!-- above is a lazy approach and expects no TAB and NL within each URL-decoded parameter -->
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>JWT-style decode (JSON Web Toolkit)</name>
        <desc>split parameters on ., then base64-decode text</desc>
        <code><![CDATA[
var encsig = $('EnDeDOM.DE.text').value.split('.')[2];
var decsig = EnDe.DE.dispatch("base64","lazy",false,encsig,"","","");
EnDe.DE.dispatch("base64","lazy",false,$('EnDeDOM.DE.text').value.split('.')[0],"","","") +
'\nEnDe-Separator__do_not_remove_this_line\n' +
EnDe.DE.dispatch("base64","lazy",false,$('EnDeDOM.DE.text').value.split('.')[1],"","","") +
'\nEnDe-Separator__do_not_remove_this_line\n' +
decsig +
'\nEnDe-Separator__do_not_remove_this_line\n' +
'EnDe-JWT-signature-is-base64=' + (encsig!=decsig);
/* remember if signature is base64 encoded */
    ]]></code>
	<!-- above is a lazy approach because: -->
	<!-- * JWT's base64 encoding may miss padding characters -->
	<!-- * JWT's base64 encoded signature uses "Base64 SAP (-_ instead of +/) -->
    </attack>

    <attack>
        <label>Decoding User Functions ..</label>
        <name>JSON-encoded Base64</name>
        <desc>remove literal \r and \n then replace any \x by X</desc>
        <code><![CDATA[
/* for JSON, BASE64 data contains literal \r \n and \/ 
 * converts back to real BASE64
*/
EnDe.Text.dispatch(
    EnDe.Text.dispatch(
        EnDe.Text.dispatch(
            EnDe.Text.dispatch($('EnDeDOM.DE.text').value,'txtDELbsn',0),
            'txtDELbsr',0),
        'txtREPbsany',0),
   'txtDELnl',0
)
    ]]></code>
    </attack>

</xss>