TL;DR
Character filters block specific inputs to prevent attacks like cross-site scripting (XSS). This guide shows common bypass techniques, focusing on encoding, case manipulation, and alternative representations of blocked characters. Always test thoroughly!
Understanding Character Filters
Web applications often use character filters to sanitize user input. These filters remove or encode potentially dangerous characters like <, >, ", and '. However, filters aren’t always perfect, and clever attackers can find ways around them.
Bypass Techniques
- HTML Encoding:
- Filters often block the literal characters but might not decode HTML entities. Try using these:
<for<>for>"for"'or'for'&for&
Some filters are case-sensitive. Try variations like:
<ScRiPt><<
If the input is URL-encoded, try encoding characters that are blocked in their raw form. For example:
%3Cscript%3Efor<script>
Use Unicode representations of characters. This is especially effective if the application doesn’t properly handle Unicode.
<for<<for<
Encode a character multiple times. The application might decode it only once, leaving the remaining encoded characters intact.
- Example: If the filter blocks
<script>, try<script>
Try different ways to represent characters:
- Using octal or hexadecimal representations.
- Using character codes (e.g.,
<).
Sometimes, adding whitespace or HTML comments can break the filter:
<script> alert(1); </script><scriptalert(1);//-->
The best bypass depends on where the input is used. If it’s inside an attribute, you might need to use different encoding than if it’s in a text node.
- Example (inside an HTML attribute):
" onclick="alert(1)"
Testing
Always test your bypass attempts thoroughly. Use your browser’s developer tools to inspect the rendered HTML and JavaScript execution.
Important Note
Exploiting vulnerabilities without permission is illegal and unethical. This information is for educational purposes only, to help you understand how character filters work and how to protect against attacks in cyber security.