<testcase>
<info>
<keywords>
HTTP
HTTP GET
filter ie-exploits
</keywords>
</info>

<reply>
<data>
HTTP/1.1 200 OK
Date: Thu, 22 Jul 2010 11:22:33 GMT
Connection: close
Content-Type: text/html
X-Control: swsclose

# Here are some strings the ie-exploits filter should filter:

# pcrs command 1:

f("javascript:location.replace('mk:@MSITStore:C:')");

# pcrs command 2:

<a href="http://www.example.org/%hex[%01]hex%@blafasel">
<a href="http://www.example.org/%hex[%02]hex%@blafasel">
<a href="http://www.example.org/%hex[%03]hex%@blafasel">

<a href="http://www.example.org/%00@blafasel">
<a href="http://www.example.org/%01@blafasel">
<a href="http://www.example.org/%02@blafasel">

# pcrs command 3:

<script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script>
<script language="JavaScript">1;''.concat("readme.eml", null, "resizable=no,top=6000,left=6000")</script>
</data>
</reply>

<proxy-reply>
<data>
HTTP/1.1 200 OK
Date: Thu, 22 Jul 2010 11:22:33 GMT
Connection: close
Content-Type: text/html
X-Control: swsclose
Content-Length: 890

# Here are some strings the ie-exploits filter should filter:

# pcrs command 1:

alert("This page looks like it tries to use a vulnerability described here:
 http://online.securityfocus.com/archive/1/298748/2002-11-02/2002-11-08/2");

# pcrs command 2:

<a href="http://www.example.org/MALICIOUS-LINK@blafasel">
<a href="http://www.example.org/MALICIOUS-LINK@blafasel">
<a href="http://www.example.org/MALICIOUS-LINK@blafasel">

<a href="http://www.example.org/MALICIOUS-LINK@blafasel">
<a href="http://www.example.org/MALICIOUS-LINK@blafasel">
<a href="http://www.example.org/MALICIOUS-LINK@blafasel">

# pcrs command 3:

<br><font size="7"> WARNING: This Server is infected with <a href="http://www.cert.org/advisories/CA-2001-26.html">Nimda</a>!</font>
<br><font size="7"> WARNING: This Server is infected with <a href="http://www.cert.org/advisories/CA-2001-26.html">Nimda</a>!</font>
</data>
</proxy-reply>

<client>
<server>
http
</server>
<name>
+filter{ie-exploits}
</name>
<features>
proxy
</features>
<command>
http://%HOSTIP:%HTTPPORT/ie-exploits/%TESTNUMBER
</command>
</client>

<verify>
<protocol>
GET /ie-exploits/%TESTNUMBER HTTP/1.1
Host: %HOSTIP:%HTTPPORT
User-Agent: curl/%VERSION
Accept: */*
Connection: close

</protocol>
</verify>
</testcase>
