Get a Pentest and security assessment of your IT network.

Cyber Security

Bypassing Angle Bracket XSS Filter

TL;DR

Angle bracket filters block basic HTML tags like . The browser should interpret this as a script tag.

  • Case Mixing: Some filters are case-sensitive. Try variations like:
    • &lT;
  • Double Encoding: If the server decodes HTML entities multiple times, double encoding can help. For example:
    • Encode to <script>alert(1)</script>
  • Using Character Codes: Use the decimal or hexadecimal character codes for angle brackets:
    • Decimal:
    • Hexadecimal:
  • Tag Attributes: Inject JavaScript into tag attributes. This often bypasses filters focused on the main tag structure.
  • Context Matters: Where is the input being used? If it’s inside an attribute, you might need to use single quotes instead of double quotes:
  • URL Encoding: If the input is URL encoded, try encoding the payload accordingly.
  • Nested Tags: Sometimes nesting tags can work:
  • Browser Variations: Different browsers handle XSS payloads differently. Test your exploits in multiple browsers (Chrome, Firefox, Safari, Edge).
  • Remember to always test responsibly and only on systems you have permission to assess.

    Related posts
    Cyber Security

    Zip Codes & PII: Are They Personal Data?

    Cyber Security

    Zero-Day Vulnerabilities: User Defence Guide

    Cyber Security

    Zero Knowledge Voting with Trusted Server

    Cyber Security

    ZeroNet: 51% Attack Risks & Mitigation