XSS Filter Bypass: Character Encoding

TL;DR

If a website’s XSS filter simply replaces characters like <, >, and ", you can often bypass it by using different encoding methods (HTML entities, URL encoding, Unicode) or case mixing. This guide shows common techniques.

Bypassing Character-Based XSS Filters

1. Understand the Filter: First, try a simple XSS payload to see what characters are blocked. For example:

   Note which characters get replaced or removed.

2. HTML Entities: If the filter replaces < and >, try using their HTML entity equivalents:

3. Double Encoding: Sometimes filters only decode once. Try encoding the entities again:

   <>

4. URL Encoding: If the input is URL encoded, try encoding characters that are being filtered. For example, if < is blocked:

   %3Cscript%3Ealert(1)%3C/script%3E

5. Unicode Encoding: Use Unicode character representations. For example, for < (less than):

6. Case Mixing: Some filters are case-sensitive. Try mixing upper and lower case letters:

7. Alternative Tags/Attributes: If script is blocked, try other tags that can execute JavaScript (e.g., img with onerror):

8. Event Handlers: Use event handlers in HTML elements:

9. Comments: Try using HTML comments to break up the payload:

10. Context Awareness: Consider where your input is being placed in the HTML. If it’s inside an attribute, you might need to use different techniques than if it’s directly in the body.
    • If within a style attribute, try CSS injection:

      style="width:100%; filter:url(javascript:alert(1))"

11. Browser Differences: Different browsers may interpret XSS payloads differently. Test your bypasses in multiple browsers (Chrome, Firefox, Safari, Edge).

Important Note: Exploiting XSS vulnerabilities without permission is illegal and unethical. This information is for educational purposes only.