There is no lack of defense against cross-site scripting (XSS) as it is so prevalent on the Web today. Filters are one of the most common implementations to prevent these types of attacks. They are typically configured as a blacklist of known bad expressions or are based on a regex rating. There is hope, however, with a variety of techniques that can be used to remove these filters.
We can start with relatively simple filter bypasses. Depending on the complexity of the filter, these can lead to results with minimal effort.
Most of the techniques we will examine is a variation of a simple payload for testing for XSS errors, which looks like the following code. If the tested parameter is vulnerable, a warning message will be displayed with a one displayed.
Sometimes simple changes to this code remove basic defensive filters. Add a space or tab after the opening script tag:
It also works with an encrypted tab, linefeed, or carriage return to break the field code.
If you change the case of the script tags, certain filters may also fire.
Another One useful method that often succeeds is the zero-byte trick. By inserting a null byte anywhere in the XSS payload, filters can sometimes be overridden.
<%00script> alert (1)
Attributes & Tags
HTML attributes contain additional information about specific elements on the page. When looking for XSS vulnerabilities, these attributes can often be misused to introduce scripts and show that there is an error. For example, take the input element that contains an attribute :
We can insert our XSS test code by stopping the quotes of the attribute value and closing the input tag. so:
<%00input type="text" name="input" value="> Event handler
Take our example from the previous example with the input element and insert an event handler containing code to test for XSS. We can use any suitable event handler ( onsubmit in this case) to make a payload. The following example triggers a warning message once the form input has been submitted, if it is prone to XSS.
Depending on the type of filter that exists, there are many other event handlers that can be used to search for XSS errors. Many of them do not even require user interaction, which makes them ideal for testing.
Separators and brackets
A separator is one or more characters to separate text strings or other data streams. A clever use of delimiters can be fruitful in finding XSS vulnerabilities. In HTML, whitespace is usually used to separate attributes and their values. Sometimes filters can be fooled by single or double quotes as separators.
The encoded values of these values can also be used to bypass the defense.
The serious accent or backtick offers another useful trick that this can often sneak filters past.
And the encrypted version:
Filters are sometimes searched for specific keywords, such as: For example, event handlers that begin with "on" to stop XSS attacks with this vector. If we change the order of the attributes from before, a filter that does not know heavy accents will treat it as a single attribute that does not start with "on" and effectively bypasses the filter.
Similar to delimiters, brackets can also be misused to fool filters. In certain situations, the filter simply searches for pairs of opening and closing parentheses and compares the content to a blacklist of bad tags. By using extra parentheses, the filter can sometimes be tempted to accept the rest of the code. The double slash comments out the extra parenthesis of the closing tag, so no error is output. So this is:
Becomes After Filtering:
Sometimes the filter is bypassed by using an open parenthesis at the end ,
<input onsubmit = alert (1) <
In some cases, an application translates unusual characters into their nearest equivalents based on similar characteristics. For example, if we replace the traditional opening and closing brackets with double-angle quotes, an application performing this behavior can convert them to the correct characters, which makes the input valid and skips the filter.
«input onsubmit = alert (1)»
It may also prove successful to encode these characters, similar to the previous examples.
& # 174input onsubmit = alert (1) & # 175
Take, for example, the attribute a href . This HTML attribute specifies the URL of a shortcut location, typically with some hyperlinked text as follows:
Other attributes that take a URL as a value can also be used (note that while attribute values are recommended, attribute values do not require quotes.) 19659051]
Stay tuned for more filter bypasses