Merge branch 'master' into add-c0-and-c1-controls

2025-09-25 05:12:14 +02:00 · 2017-01-19 08:24:33 -05:00
parent b3c84aaf50 942eb29775
commit a34eb03d01
7 changed files with 46 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -23,6 +23,20 @@ Likewise, please do not send pull requests which compromise *manual usability of

 The Big List of Naughty Strings is intended to be used *for software you own and manage*. Some of the Naughty Strings can indicate security vulnerabilities, and as a result using such strings with third-party software may be a crime. The maintainer is not responsible for any negative actions that result from the use of the list.

-## Maintainer
+Additionally, the Big List of Naughty Strings is not a fully-comprehensive substitute for formal security/penetration testing for your service.

-* Max Woolf ([@minimaxir](https://twitter.com/minimaxir))
+## Maintainer/Creator
+
+Max Woolf ([@minimaxir](https://twitter.com/minimaxir))
+
+## Social Media Discussions
+
+* June 10, 2015 [Hacker News]: [Show HN: Big List of Naughty Strings for testing user-input data](https://news.ycombinator.com/item?id=10035008)
+* August 17, 2015 [Reddit]: [Big list of naughty strings.](https://www.reddit.com/r/programming/comments/3hdxqx/big_list_of_naughty_strings/)
+* February 9, 2016 [Reddit]: [Big List of Naughty Strings](https://www.reddit.com/r/webdev/comments/44wc5b/big_list_of_naughty_strings/)
+* January 15, 2017 [Hacker News]: [Naughty Strings: A list of strings likely to cause issues as user-input data](https://news.ycombinator.com/item?id=13406119)
+* January 16, 2017 [Reddit]: [Naughty Strings: A list of strings likely to cause issues as user-input data](https://www.reddit.com/r/programming/comments/5o9inb/naughty_strings_a_list_of_strings_likely_to_cause/)
+
+## License
+
+MIT
--- a/blns.base64.json
+++ b/blns.base64.json
@@ -395,6 +395,7 @@
     "PGlmcmFtZSBzcmM9aHR0cDovL2hhLmNrZXJzLm9yZy9zY3JpcHRsZXQuaHRtbCA8Cg==",
     "IjthbGVydCgnWFNTJyk7Ly8K",
     "PHBsYWludGV4dD4K",
+     "PC90ZXh0YXJlYT48c2NyaXB0PmFsZXJ0KDEyMyk8L3NjcmlwdD4=",
     "MTtEUk9QIFRBQkxFIHVzZXJzCg==",
     "MSc7IERST1AgVEFCTEUgdXNlcnMtLSAxCg==",
     "JyBPUiAxPTEgLS0gMQo=",
@@ -425,6 +426,7 @@
     "Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL2hvc3RzCg==",
     "KCkgeyAwOyB9OyB0b3VjaCAvdG1wL2JsbnMuc2hlbGxzaG9jazEuZmFpbDsK",
     "KCkgeyBfOyB9ID5fWyQoJCgpKV0geyB0b3VjaCAvdG1wL2JsbnMuc2hlbGxzaG9jazIuZmFpbDsgfQo=",
+     "KysrQVRIMA==",
     "Q09OCg==",
     "UFJOCg==",
     "QVVYCg==",
--- a/blns.base64.txt
+++ b/blns.base64.txt
@@ -498,6 +498,7 @@ PGlmcmFtZSBzcmM9aHR0cDovL2hhLmNrZXJzLm9yZy9zY3JpcHRsZXQuaHRtbCA8Cg==
 IjthbGVydCgnWFNTJyk7Ly8K
 PHBsYWludGV4dD4K
 aHR0cDovL2EvJSUzMCUzMAo=
+PC90ZXh0YXJlYT48c2NyaXB0PmFsZXJ0KDEyMyk8L3NjcmlwdD4=

 # SQL Injection
 #
@@ -566,6 +567,7 @@ Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL2hvc3RzCg==

 KCkgeyAwOyB9OyB0b3VjaCAvdG1wL2JsbnMuc2hlbGxzaG9jazEuZmFpbDsK
 KCkgeyBfOyB9ID5fWyQoJCgpKV0geyB0b3VjaCAvdG1wL2JsbnMuc2hlbGxzaG9jazIuZmFpbDsgfQo=
+KysrQVRIMA==

 # MSDOS/Windows Special Filenames
 #
--- a/blns.json
+++ b/blns.json
@@ -11,6 +11,8 @@
  "false", 
  "True", 
  "False", 
+  "TRUE", 
+  "FALSE", 
  "None", 
  "hasOwnProperty", 
  "\\", 
@@ -100,6 +102,7 @@
  "⁰⁴⁵", 
  "₀₁₂", 
  "⁰⁴⁵₀₁₂", 
+  "ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็", 
  "'", 
  "\"", 
  "''", 
@@ -129,6 +132,7 @@
  ",。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’", 
  "(╯°□°）╯︵ ┻━┻)  ", 
  "(ﾉಥ益ಥ）ﾉ ┻━┻", 
+  "┬─┬ノ( º _ ºノ)", 
  "( ͡° ͜ʖ ͡°)", 
  "😍", 
  "👩🏽", 
@@ -148,7 +152,7 @@
  "הָיְתָהtestالصفحات التّحول", 
  "﷽", 
  "ﷺ", 
-  "مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ ",
+  "مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، ", 
  "", 
  " ", 
  "᠎", 
@@ -408,10 +412,11 @@
  "<IMG SRC=\"javascript:alert('XSS')\"", 
  "<iframe src=http://ha.ckers.org/scriptlet.html <", 
  "\\\";alert('XSS');//", 
-  "<u oncopy=alert()> Copy me</u>",
-  "<i onwheel=alert(1)> Scroll over me </i>",
+  "<u oncopy=alert()> Copy me</u>", 
+  "<i onwheel=alert(1)> Scroll over me </i>", 
  "<plaintext>", 
  "http://a/%%30%30", 
+  "</textarea><script>alert(123)</script>",
  "1;DROP TABLE users", 
  "1'; DROP TABLE users-- 1", 
  "' OR 1=1 -- 1", 
@@ -445,6 +450,8 @@
  "../../../../../../../../../../../etc/hosts", 
  "() { 0; }; touch /tmp/blns.shellshock1.fail;", 
  "() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }", 
+  "+++ATH0",
+  "<<< %s(un='%s') = %u", 
  "CON", 
  "PRN", 
  "AUX", 
@@ -459,6 +466,7 @@
  "COM2", 
  "COM3", 
  "COM4", 
+  "DCC SEND STARTKEYLOGGER 0 0 0", 
  "Scunthorpe General Hospital", 
  "Penistone Community Church", 
  "Lightwater Country Park", 
@@ -479,6 +487,7 @@
  "Arsenal canal", 
  "classic", 
  "Tyson Gay", 
+  "Dick Van Dyke", 
  "basement", 
  "If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.", 
  "Roses are \u001b[0;31mred\u001b[0m, violets are \u001b[0;34mblue. Hope you enjoy terminal hue", 
--- a/blns.txt
+++ b/blns.txt
@@ -13,6 +13,8 @@ true
 false
 True
 False
+TRUE
+FALSE
 None
 hasOwnProperty
 \
@@ -41,6 +43,10 @@ $1.00
 0/0
 -2147483648/-1
 -9223372036854775808/-1
+-0
+-0.0
+0
+0.0
 0.00
 0..0
 .
@@ -148,13 +154,14 @@ INF
 ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
 ٠١٢٣٤٥٦٧٨٩

-#	Unicode Subscript/Superscript
+#	Unicode Subscript/Superscript/Accents
 #
 #	Strings which contain unicode subscripts/superscripts; can cause rendering issues

 ⁰⁴⁵
 ₀₁₂
 ⁰⁴⁵₀₁₂
+ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็

 #	Quotation Marks
 #
@@ -199,6 +206,7 @@ __ﾛ(,_,*)
 ,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
 (╯°□°）╯︵ ┻━┻)
 (ﾉಥ益ಥ）ﾉ ┻━┻
+┬─┬ノ( º _ ºノ)
 ( ͡° ͜ʖ ͡°)

 #	Emoji
@@ -520,6 +528,7 @@ perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
 <i onwheel=alert(1)> Scroll over me </i>
 <plaintext>
 http://a/%%30%30
+</textarea><script>alert(123)</script>

 #	SQL Injection
 #
@@ -589,6 +598,7 @@ $ENV{'HOME'}
 () { 0; }; touch /tmp/blns.shellshock1.fail;
 () { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
 <<< %s(un='%s') = %u
+++ATH0

 #	MSDOS/Windows Special Filenames
 #
@@ -639,6 +649,7 @@ expression
 Arsenal canal
 classic
 Tyson Gay
+Dick Van Dyke
 basement

 #	Human injection
--- a/package.json
+++ b/package.json
@@ -4,7 +4,7 @@
  "description": "The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data",
  "author": "Max Woolf <max@minimaxir.com>",
  "main": "blns.json",
-  "repository": "git+https://github.com/minimaxir/big-list-of-naughty-strings.git",
+  "repository": "minimaxir/big-list-of-naughty-strings",
  "license": "MIT",
  "bugs": {
    "url": "https://github.com/minimaxir/big-list-of-naughty-strings/issues"
--- a/scripts/texttobase64.sh
+++ b/scripts/texttobase64.sh
@@ -2,7 +2,7 @@ commentChar="#"
 while read p; do 
        firstChar=${p:0:1}
        if [[ "$firstChar" != "$commentChar" && "$firstChar" != "" ]] ; then
-		echo $p | base64; 
+		echo -n $p | base64;
 	else
 		echo $p;
 	fi