Bypassing Character Filters

TL;DR

Character filters block specific inputs to prevent attacks like cross-site scripting (XSS). This guide shows common bypass techniques, focusing on encoding, case manipulation, and alternative representations of blocked characters. Always test thoroughly!

Understanding Character Filters

Web applications often use character filters to sanitize user input. These filters remove or encode potentially dangerous characters like <, >, ", and '. However, filters aren’t always perfect, and clever attackers can find ways around them.

Bypass Techniques

1. HTML Encoding:
• Filters often block the literal characters but might not decode HTML entities. Try using these:
  • < for <
  • > for >
  • " for "
  • ' or ' for '
  • & for &
2. Case Manipulation:

Some filters are case-sensitive. Try variations like:

• <ScRiPt>
• <<
3. URL Encoding:

If the input is URL-encoded, try encoding characters that are blocked in their raw form. For example:

• %3Cscript%3E for <script>
4. Unicode Encoding:

Use Unicode representations of characters. This is especially effective if the application doesn’t properly handle Unicode.

• < for <
• < for <
5. Double Encoding:

Encode a character multiple times. The application might decode it only once, leaving the remaining encoded characters intact.

• Example: If the filter blocks <script>, try <script>
6. Alternative Representations:

Try different ways to represent characters:

• Using octal or hexadecimal representations.
• Using character codes (e.g., <).
7. Whitespace and Comments:

Sometimes, adding whitespace or HTML comments can break the filter:

• <script> alert(1); </script>
• <scriptalert(1);//-->
8. Contextual Encoding:

The best bypass depends on where the input is used. If it’s inside an attribute, you might need to use different encoding than if it’s in a text node.

• Example (inside an HTML attribute): " onclick="alert(1)"

Testing

Always test your bypass attempts thoroughly. Use your browser’s developer tools to inspect the rendered HTML and JavaScript execution.

Important Note

Exploiting vulnerabilities without permission is illegal and unethical. This information is for educational purposes only, to help you understand how character filters work and how to protect against attacks in cyber security.