Bypassing Input Filters

TL;DR

Input filters block characters that could cause problems (like website hacking). This guide shows common ways attackers get around these filters, and how to protect against them. It’s aimed at anyone managing web applications or security.

Understanding Metacharacter Filtering

Metacharacters are special symbols with extra meaning (e.g., <, >, "). Filters try to remove or escape these characters to prevent attacks like cross-site scripting (XSS) and SQL injection.

Bypass Techniques

1. Character Encoding:

• HTML Entities: Replace characters with their HTML entity codes. For example, < for <, > for >, & for &.
• URL Encoding: Use percent encoding (e.g., %3C for <). Useful when submitting data in URLs.
• Unicode Encoding: Use Unicode characters that are visually similar to the blocked character. For example, using a full-width angle bracket instead of a standard one.

Case Variation: Some filters only check for lowercase metacharacters. Try uppercase versions (e.g., <).

Double Encoding: Encode the character multiple times. The filter might decode it once, leaving a still-encoded character that bypasses further checks. For example, encoding < as %26lt;.

Using Alternative Syntax:

• JavaScript Encoding: If the input is used in JavaScript, try using JavaScript-specific escape sequences (e.g., x3C for <).
• SQL Injection Alternatives: For SQL injection, explore different ways to achieve the same result without using common keywords like SELECT or UNION.

Whitespace and Comments:

• Adding Whitespace: Insert spaces around metacharacters (e.g., < tag >). Some filters don’t handle whitespace correctly.
• Using Comments: Inject comments to break up the filter’s pattern matching (e.g., <!-- comment -->tag<!-- comment -->).

Contextual Bypass: The effectiveness of a bypass depends on where the input is used.

• Attribute Context: If the input goes into an HTML attribute, you might need to use different techniques than if it’s placed directly in the body of the page. For example, using single quotes instead of double quotes within an attribute.
• JavaScript Context: Different encoding methods are needed for JavaScript code.

Example: Bypassing a Simple HTML Tag Filter

Let’s say the filter blocks <script>.

Input: <script>alert('XSS')</script>  (Blocked)

Bypass 1 (HTML Entities): <script>alert('XSS')</script> (May work)

Bypass 2 (Case Variation): <Script>alert('XSS')</Script> (May work if case-insensitive filtering isn't used)

Protecting Against Bypasses

1. Input Validation:

• Whitelist Approach: Only allow specific, known-good characters or patterns. This is the most secure method.
• Blacklist Avoidance: Blacklists are easily bypassed. Use them only as a secondary defense.

Output Encoding/Escaping: Encode all user input before displaying it on the page, based on the context where it’s used (HTML, JavaScript, URL, etc.). This prevents malicious code from being executed even if the filter is bypassed. Use a well-tested library for encoding.

Content Security Policy (CSP): A powerful security mechanism that tells the browser which sources of content are allowed to load. It can significantly reduce the risk of XSS attacks.

Regular Updates: Keep your filtering libraries and frameworks up to date to benefit from the latest security patches.

Security Audits & Penetration Testing: Regularly test your application for vulnerabilities, including input filter bypasses.