TL;DR
Angle bracket filters block basic HTML tags like . We can bypass this by using alternative encoding, case mixing, or injecting HTML entities to reconstruct the tag.
Solution Guide
- Understand the Filter: The filter likely looks for literal angle brackets (< and >) in user input. It aims to prevent direct injection of HTML tags.
- Alternative Encoding (HTML Entities): Replace angle brackets with their corresponding HTML entities:
<represents <>represents >
Try injecting: . The browser should interpret this as a script tag.
- Case Mixing: Some filters are case-sensitive. Try variations like:
≪&lT;
- Double Encoding: If the server decodes HTML entities multiple times, double encoding can help. For example:
- Encode to
<script>alert(1)</script>
- Encode to
- Using Character Codes: Use the decimal or hexadecimal character codes for angle brackets:
- Decimal:
- Hexadecimal:
- Tag Attributes: Inject JavaScript into tag attributes. This often bypasses filters focused on the main tag structure.
- Context Matters: Where is the input being used? If it’s inside an attribute, you might need to use single quotes instead of double quotes:
- URL Encoding: If the input is URL encoded, try encoding the payload accordingly.
- Nested Tags: Sometimes nesting tags can work:
- Browser Variations: Different browsers handle XSS payloads differently. Test your exploits in multiple browsers (Chrome, Firefox, Safari, Edge).
Remember to always test responsibly and only on systems you have permission to assess.