XSS: Bypassing Single Quote Filters

TL;DR

Single quote filtering is a common but often incomplete defence against Cross-Site Scripting (XSS). This guide shows how to bypass it using various techniques, and explains why these work. We’ll cover encoding, different quote types, HTML entities, and injecting JavaScript within attributes.

Understanding the Problem

Many web applications attempt to prevent XSS by removing or escaping single quotes (`’`). However, this is rarely enough on its own. Attackers can often find ways around these filters.

Solution: Bypassing Single Quote Filters

1. Double Quotes: Try using double quotes instead of single quotes. If the application only filters single quotes, double quotes will likely work.

   <input type="value" onfocus=alert(1)>

2. HTML Entities: Use HTML entities to represent the single quote character.
   • ': This is a common representation of a single quote.
   • ': Another valid entity code for a single quote.
   • ': A named HTML entity representing a single quote.

   <input type="value" onfocus=alert('1')>

3. Different Quote Types: Explore other types of quotes that might not be filtered.
   • Backticks (` `): Some applications may allow backticks.
   • Curly Quotes (‘ and ’): These can sometimes bypass basic filters.
4. Attribute Injection: Inject JavaScript directly into HTML attributes.

   <img src="x" onerror=alert(1)>

   This works because the onerror attribute executes JavaScript when an error occurs (in this case, a broken image source).

5. Event Handlers: Use other event handlers besides onfocus.
   • onload: Executes when an element has loaded.
   • onclick: Executes when an element is clicked.
   • onmouseover: Executes when the mouse hovers over an element.

   <input type="value" onclick=alert(1)>

6. Encoding (URL Encoding): If input is URL encoded, try encoding the single quote.
   • %27: The URL-encoded representation of a single quote.

   <input type="value" onfocus=alert(%271%27)>

7. Case Sensitivity: Some filters are case sensitive. Try variations like ' and '.
8. JavaScript String Concatenation: Break up the JavaScript code into multiple strings.

   <input type="value" onfocus=alert('1' + '2')>

9. Using Comments: Sometimes, inserting comments can help bypass filters.

   <input type="value" onfocus=/*-->*/alert(1)>

Important Considerations

• Context Matters: The success of these techniques depends heavily on the specific context of the input field and how the application processes it.
• Input Validation is Key: Proper input validation and output encoding are crucial for preventing XSS vulnerabilities. Filtering single quotes alone is not sufficient.
• Content Security Policy (CSP): Implement a strong CSP to restrict the sources from which scripts can be loaded, further mitigating XSS risks.