TL;DR
This guide shows how to bypass a basic XSS filter that only blocks the less-than symbol (<). We’ll use alternative HTML tags, encoding tricks, and case mixing to get JavaScript code executed.
Bypassing the Filter
- Understanding the Problem: The filter is likely looking for
- Encoding: HTML encoding can sometimes bypass filters. Try using character entities.
- Decimal Encoding:
- Hexadecimal Encoding:
- Attribute-Based XSS: If the filter allows attributes, you can inject JavaScript into event handlers.
onerrorattribute executes when the image fails to load.– Executes when the mouse hovers over the body element.
- Using Data URLs: Sometimes, data URLs can help bypass filters.
- Double Encoding (Less Common): In some cases, double encoding might work if the application decodes the input multiple times.
- Encode < to < then encode that again to <. This is less likely to succeed but worth a try.
- Testing: After each attempt, check if the JavaScript code executes in your browser.
- Use your browser’s developer tools (usually F12) to inspect the HTML source and see if the injected code is present.
- Look for JavaScript errors in the console that might indicate successful execution.
Important Note: This information is provided for educational purposes only. Do not use these techniques to attack websites without permission. XSS attacks are illegal and harmful.