Bypass Simple XSS Filter (<)

TL;DR

This guide shows how to bypass a basic XSS filter that only blocks the less-than symbol (<). We’ll use alternative HTML tags, encoding tricks, and case mixing to get JavaScript code executed.

Bypassing the Filter

1. Understanding the Problem: The filter is likely looking for
2. Encoding: HTML encoding can sometimes bypass filters. Try using character entities.
   • Decimal Encoding:
   • Hexadecimal Encoding:
3. Attribute-Based XSS: If the filter allows attributes, you can inject JavaScript into event handlers.
   • – The onerror attribute executes when the image fails to load.
   • – Executes when the mouse hovers over the body element.
4. Using Data URLs: Sometimes, data URLs can help bypass filters.
   • 
5. Double Encoding (Less Common): In some cases, double encoding might work if the application decodes the input multiple times.
   • Encode < to < then encode that again to <. This is less likely to succeed but worth a try.
6. Testing: After each attempt, check if the JavaScript code executes in your browser.
   • Use your browser’s developer tools (usually F12) to inspect the HTML source and see if the injected code is present.
   • Look for JavaScript errors in the console that might indicate successful execution.

Important Note: This information is provided for educational purposes only. Do not use these techniques to attack websites without permission. XSS attacks are illegal and harmful.