Bypassing Character Filters

G5 Cyber Security

6 months ago

TL;DR

Character filters block specific inputs to prevent attacks like cross-site scripting (XSS). This guide shows common bypass techniques, focusing on encoding, case manipulation, and alternative representations of blocked characters. Always test thoroughly!

Understanding Character Filters

Web applications often use character filters to sanitize user input. These filters remove or encode potentially dangerous characters like <, >, ", and '. However, filters aren’t always perfect, and clever attackers can find ways around them.

Bypass Techniques

HTML Encoding:

Filters often block the literal characters but might not decode HTML entities. Try using these:
- < for <
- > for >
- " for "
- ' or ' for '
- & for &

Case Manipulation:

Some filters are case-sensitive. Try variations like:

<<

URL Encoding:

If the input is URL-encoded, try encoding characters that are blocked in their raw form. For example:

%3Cscript%3E for

Unicode Encoding:

Use Unicode representations of characters. This is especially effective if the application doesn’t properly handle Unicode.

< for <
< for <

Double Encoding:

Encode a character multiple times. The application might decode it only once, leaving the remaining encoded characters intact.

Example: If the filter blocks , try <script>

Alternative Representations:

Try different ways to represent characters:

Using octal or hexadecimal representations.
Using character codes (e.g., <).

Whitespace and Comments:

Sometimes, adding whitespace or HTML comments can break the filter: