Add 30 new XSS maze categories with 180 test endpoints (825 total)

New categories: script gadget, encoding edge, multi-vector, sanitizer edge,
hidden reflection, prototype, framework output, payload filter, late reflection,
API response, attribute event, URL param context, SEO context, JS string escape,
custom tag, embed context, global attr, error handling, ARIA attr, microdata,
inline style, numeric context, boolean attr, list iteration, CMS pattern,
ecommerce, dashboard, email template, social media, misc context.

Fix conditional_reflect level2 to check digits instead of letter 'a'.

Author: hahwul

src/mazes/api_response_xss.cr

@@ -0,0 +1,72 @@
+def load_api_response_xss
+  # Level 1: JSON-like response served as text/html
+  # The query is reflected inside a JSON string value, but since Content-Type is text/html,
+  # the browser will parse HTML tags embedded in the JSON.
+  # Bypass: break out of JSON string with ", inject HTML like <img src=x onerror=alert(1)>
+  Xssmaze.push("api-response-level1", "/api-response/level1/?query=a", "JSON-like response with text/html content type")
+  maze_get "/api-response/level1/" do |env|
+    query = env.params.query["query"]
+    env.response.content_type = "text/html"
+
+    "{\"message\":\"#{query}\",\"status\":\"ok\"}"
+  end
+
+  # Level 2: XML response served as text/html
+  # The query is reflected inside an XML element, but Content-Type is text/html so
+  # the browser renders HTML tags within the XML structure.
+  # Bypass: inject <script>alert(1)</script> or <img src=x onerror=alert(1)>
+  Xssmaze.push("api-response-level2", "/api-response/level2/?query=a", "XML response with text/html content type")
+  maze_get "/api-response/level2/" do |env|
+    query = env.params.query["query"]
+    env.response.content_type = "text/html"
+
+    "<response><message>#{query}</message></response>"
+  end
+
+  # Level 3: CSV-like response served as text/html
+  # The query is reflected in a CSV-formatted body, but Content-Type is text/html,
+  # so the browser treats the entire body as HTML.
+  # Bypass: inject <script>alert(1)</script> directly
+  Xssmaze.push("api-response-level3", "/api-response/level3/?query=a", "CSV-like response with text/html content type")
+  maze_get "/api-response/level3/" do |env|
+    query = env.params.query["query"]
+    env.response.content_type = "text/html"
+
+    "name,value\nresult,#{query}"
+  end
+
+  # Level 4: JSONP callback response served as text/html
+  # The query is reflected inside JSONP data, but since Content-Type is text/html
+  # the browser will parse any HTML injected into the data string.
+  # Bypass: break out of JS string with ", inject </script><img src=x onerror=alert(1)>
+  Xssmaze.push("api-response-level4", "/api-response/level4/?query=a", "JSONP callback response with text/html content type")
+  maze_get "/api-response/level4/" do |env|
+    query = env.params.query["query"]
+    env.response.content_type = "text/html"
+
+    "jsonpCallback({\"data\":\"#{query}\"})"
+  end
+
+  # Level 5: HTML fragment response (no doctype/html/body tags)
+  # The query is reflected inside a bare HTML fragment with no wrapping document structure.
+  # Bypass: inject <script>alert(1)</script> or event handlers to break out of div
+  Xssmaze.push("api-response-level5", "/api-response/level5/?query=a", "HTML fragment response without full document structure")
+  maze_get "/api-response/level5/" do |env|
+    query = env.params.query["query"]
+    env.response.content_type = "text/html"
+
+    "<div class=\"result\">#{query}</div>"
+  end
+
+  # Level 6: Plain text error message served as text/html
+  # A simple error string with the query reflected, but Content-Type is text/html
+  # so the browser will render HTML tags embedded in the error text.
+  # Bypass: inject <script>alert(1)</script> directly
+  Xssmaze.push("api-response-level6", "/api-response/level6/?query=a", "Plain text error response with text/html content type")
+  maze_get "/api-response/level6/" do |env|
+    query = env.params.query["query"]
+    env.response.content_type = "text/html"
+
+    "Error: #{query}"
+  end
+end

src/mazes/aria_attr_xss.cr

@@ -0,0 +1,69 @@
+def load_aria_attr_xss
+  # Level 1: Reflected in <div role="alert" aria-label="QUERY">
+  # Bypass: break out of aria-label with " then inject event handler
+  Xssmaze.push("ariaattr-level1", "/ariaattr/level1/?query=a", "reflection in aria-label attribute (double-quoted)")
+  maze_get "/ariaattr/level1/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <div role=\"alert\" aria-label=\"#{query}\">notification</div>
+    </body></html>"
+  end
+
+  # Level 2: Reflected in <input aria-describedby="QUERY" type="text">
+  # Bypass: break out of aria-describedby with " then inject event handler
+  Xssmaze.push("ariaattr-level2", "/ariaattr/level2/?query=a", "reflection in aria-describedby attribute (double-quoted)")
+  maze_get "/ariaattr/level2/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <input aria-describedby=\"#{query}\" type=\"text\">
+    </body></html>"
+  end
+
+  # Level 3: Reflected in <span aria-live="polite" aria-atomic="QUERY">
+  # Bypass: break out of aria-atomic with " then inject event handler
+  Xssmaze.push("ariaattr-level3", "/ariaattr/level3/?query=a", "reflection in aria-atomic attribute (double-quoted)")
+  maze_get "/ariaattr/level3/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <span aria-live=\"polite\" aria-atomic=\"#{query}\">updates</span>
+    </body></html>"
+  end
+
+  # Level 4: Reflected in <div role="tooltip" aria-hidden="QUERY">
+  # Bypass: break out of aria-hidden with " then inject event handler
+  Xssmaze.push("ariaattr-level4", "/ariaattr/level4/?query=a", "reflection in aria-hidden attribute (double-quoted)")
+  maze_get "/ariaattr/level4/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <div role=\"tooltip\" aria-hidden=\"#{query}\">tooltip text</div>
+    </body></html>"
+  end
+
+  # Level 5: Reflected in <nav aria-label="QUERY">
+  # Bypass: break out of aria-label with " then inject event handler
+  Xssmaze.push("ariaattr-level5", "/ariaattr/level5/?query=a", "reflection in nav aria-label attribute (double-quoted)")
+  maze_get "/ariaattr/level5/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <nav aria-label=\"#{query}\">
+      <ul><li><a href=\"#\">Home</a></li></ul>
+    </nav>
+    </body></html>"
+  end
+
+  # Level 6: Reflected in <div role="QUERY" aria-relevant="additions">
+  # Bypass: break out of role with " then inject event handler
+  Xssmaze.push("ariaattr-level6", "/ariaattr/level6/?query=a", "reflection in role attribute (double-quoted)")
+  maze_get "/ariaattr/level6/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <div role=\"#{query}\" aria-relevant=\"additions\">content</div>
+    </body></html>"
+  end
+end

src/mazes/attribute_event_xss.cr

@@ -0,0 +1,62 @@
+def load_attribute_event_xss
+  # Level 1: Reflection inside onmouseover JS string
+  # Query is placed inside a single-quoted JS string in an onmouseover event handler.
+  # Bypass: break out with ') then inject new attribute/tag, e.g. ')//
+  Xssmaze.push("attr-event-level1", "/attr-event/level1/?query=a", "reflection in onmouseover JS string context")
+  maze_get "/attr-event/level1/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><div onmouseover=\"show('#{query}')\">hover me</div></body></html>"
+  end
+
+  # Level 2: Reflection inside onsubmit JS string
+  # Query is placed inside a single-quoted JS string in an onsubmit handler.
+  # Bypass: break out with ') then inject handler, e.g. ');alert(1)//
+  Xssmaze.push("attr-event-level2", "/attr-event/level2/?query=a", "reflection in onsubmit JS string context")
+  maze_get "/attr-event/level2/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><form onsubmit=\"validate('#{query}'); return false\"><input type=\"submit\" value=\"Submit\"></form></body></html>"
+  end
+
+  # Level 3: Reflection inside onload JS string
+  # Query is placed inside a single-quoted JS string in a body onload handler.
+  # Bypass: break out with ') then inject, e.g. ');alert(1)//
+  Xssmaze.push("attr-event-level3", "/attr-event/level3/?query=a", "reflection in body onload JS string context")
+  maze_get "/attr-event/level3/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body onload=\"init('#{query}')\"><p>Page loaded</p></body></html>"
+  end
+
+  # Level 4: Reflection inside onerror JS string
+  # Query is placed inside a single-quoted JS string in an img onerror handler.
+  # The img src is intentionally invalid to trigger onerror.
+  # Bypass: break out with ') then inject, e.g. ');alert(1)//
+  Xssmaze.push("attr-event-level4", "/attr-event/level4/?query=a", "reflection in img onerror JS string context")
+  maze_get "/attr-event/level4/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><img src=\"/nonexistent.jpg\" onerror=\"report('#{query}')\"></body></html>"
+  end
+
+  # Level 5: Reflection inside onblur JS string
+  # Query is placed inside a single-quoted JS string in an input onblur handler.
+  # Bypass: break out with ') then inject, e.g. ');alert(1)//
+  Xssmaze.push("attr-event-level5", "/attr-event/level5/?query=a", "reflection in input onblur JS string context")
+  maze_get "/attr-event/level5/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><input value=\"test\" onblur=\"save('#{query}')\"></body></html>"
+  end
+
+  # Level 6: Reflection inside onclick JS string
+  # Query is placed inside a single-quoted JS string in a button onclick handler.
+  # Bypass: break out with ') then inject, e.g. ');alert(1)//
+  Xssmaze.push("attr-event-level6", "/attr-event/level6/?query=a", "reflection in button onclick JS string context")
+  maze_get "/attr-event/level6/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><button onclick=\"action('#{query}')\">Click</button></body></html>"
+  end
+end

src/mazes/boolean_attr_xss.cr

@@ -0,0 +1,67 @@
+def load_boolean_attr_xss
+  # Level 1: Reflected in checkbox checked attribute value (double-quoted)
+  Xssmaze.push("booleanattr-level1", "/booleanattr/level1/?query=true", "boolean attr context in checkbox checked")
+  maze_get "/booleanattr/level1/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <h1>Boolean Attr XSS Level 1</h1>
+    <form><input type=\"checkbox\" checked=\"#{query}\"> Accept terms</form>
+    </body></html>"
+  end
+
+  # Level 2: Reflected in select multiple attribute value (double-quoted)
+  Xssmaze.push("booleanattr-level2", "/booleanattr/level2/?query=true", "boolean attr context in select multiple")
+  maze_get "/booleanattr/level2/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <h1>Boolean Attr XSS Level 2</h1>
+    <form><select multiple=\"#{query}\"><option>Option A</option><option>Option B</option></select></form>
+    </body></html>"
+  end
+
+  # Level 3: Reflected in input readonly attribute value (double-quoted)
+  Xssmaze.push("booleanattr-level3", "/booleanattr/level3/?query=true", "boolean attr context in input readonly")
+  maze_get "/booleanattr/level3/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <h1>Boolean Attr XSS Level 3</h1>
+    <form><input type=\"text\" readonly=\"#{query}\" value=\"Read only field\"></form>
+    </body></html>"
+  end
+
+  # Level 4: Reflected in button disabled attribute value (double-quoted)
+  Xssmaze.push("booleanattr-level4", "/booleanattr/level4/?query=true", "boolean attr context in button disabled")
+  maze_get "/booleanattr/level4/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <h1>Boolean Attr XSS Level 4</h1>
+    <form><button disabled=\"#{query}\">Submit</button></form>
+    </body></html>"
+  end
+
+  # Level 5: Reflected in details open attribute value (double-quoted)
+  Xssmaze.push("booleanattr-level5", "/booleanattr/level5/?query=true", "boolean attr context in details open")
+  maze_get "/booleanattr/level5/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <h1>Boolean Attr XSS Level 5</h1>
+    <details open=\"#{query}\"><summary>Info</summary><p>Detailed content here.</p></details>
+    </body></html>"
+  end
+
+  # Level 6: Reflected in input autofocus attribute value (double-quoted)
+  Xssmaze.push("booleanattr-level6", "/booleanattr/level6/?query=true", "boolean attr context in input autofocus")
+  maze_get "/booleanattr/level6/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body>
+    <h1>Boolean Attr XSS Level 6</h1>
+    <form><input autofocus=\"#{query}\" type=\"text\" placeholder=\"Enter text\"></form>
+    </body></html>"
+  end
+end

src/mazes/cms_pattern_xss.cr

@@ -0,0 +1,55 @@
+def load_cms_pattern_xss
+  # Level 1: WordPress post title - raw reflection in entry-title h1
+  # Bypass: direct HTML injection, e.g. <script>alert(1)</script>
+  Xssmaze.push("cmspattern-level1", "/cmspattern/level1/?query=a", "WordPress post title raw reflection")
+  maze_get "/cmspattern/level1/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><h1 class=\"entry-title\">#{query}</h1></body></html>"
+  end
+
+  # Level 2: WordPress widget title - raw reflection in widget-title h3
+  # Bypass: direct HTML injection, e.g. <script>alert(1)</script>
+  Xssmaze.push("cmspattern-level2", "/cmspattern/level2/?query=a", "WordPress widget title raw reflection")
+  maze_get "/cmspattern/level2/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><div class=\"widget\"><h3 class=\"widget-title\">#{query}</h3></div></body></html>"
+  end
+
+  # Level 3: Drupal field body - raw reflection in field paragraph
+  # Bypass: direct HTML injection, e.g. <script>alert(1)</script>
+  Xssmaze.push("cmspattern-level3", "/cmspattern/level3/?query=a", "Drupal field body raw reflection")
+  maze_get "/cmspattern/level3/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><div class=\"field field--name-body\"><p>#{query}</p></div></body></html>"
+  end
+
+  # Level 4: Joomla module - raw reflection in module heading
+  # Bypass: direct HTML injection, e.g. <script>alert(1)</script>
+  Xssmaze.push("cmspattern-level4", "/cmspattern/level4/?query=a", "Joomla module heading raw reflection")
+  maze_get "/cmspattern/level4/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><div class=\"moduletable\"><h3>#{query}</h3><div class=\"module-body\">content</div></div></body></html>"
+  end
+
+  # Level 5: Ghost blog excerpt - raw reflection in post-card-excerpt
+  # Bypass: direct HTML injection, e.g. <script>alert(1)</script>
+  Xssmaze.push("cmspattern-level5", "/cmspattern/level5/?query=a", "Ghost blog excerpt raw reflection")
+  maze_get "/cmspattern/level5/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><p class=\"post-card-excerpt\">#{query}</p></body></html>"
+  end
+
+  # Level 6: Medium-style article section - raw reflection in nested article content
+  # Bypass: direct HTML injection, e.g. <script>alert(1)</script>
+  Xssmaze.push("cmspattern-level6", "/cmspattern/level6/?query=a", "Medium-style article content raw reflection")
+  maze_get "/cmspattern/level6/" do |env|
+    query = env.params.query["query"]
+
+    "<html><body><article><section><div class=\"section-content\"><p>#{query}</p></div></section></article></body></html>"
+  end
+end

src/mazes/conditional_reflect_xss.cr

@@ -12,13 +12,13 @@ def load_conditional_reflect_xss
     end
   end
 
-  # Level 2: Reflects only if input contains letter 'a'
-  # Most payloads contain 'a' (alert, onerror, animate, etc.)
-  Xssmaze.push("condreflect-level2", "/condreflect/level2/?query=a", "reflects only if input contains letter a")
+  # Level 2: Reflects only if input contains a digit
+  # Most payloads and scanner markers contain digits
+  Xssmaze.push("condreflect-level2", "/condreflect/level2/?query=a", "reflects only if input contains a digit")
   maze_get "/condreflect/level2/" do |env|
     query = env.params.query["query"]
 
-    if query.includes?("a") || query.includes?("A")
+    if query.matches?(/[0-9]/)
       "<html><body><div>#{query}</div></body></html>"
     else
       "<html><body><div>No results</div></body></html>"