XSS Filter Bypass Guide

TL;DR

This guide shows how to bypass a simple XSS filter that blocks common tags like

Attribute Encoding: Encode characters within HTML attributes.

Event Handlers: Use different event handlers.

Common event handlers include onload, onerror, onmouseover, and onclick.
The onerror handler is often useful because it executes when an image fails to load (which is easy to arrange).

Tag Attributes: Exploit tag attributes.

Some tags allow JavaScript execution within their attributes, even if the main tag is blocked. For example, might work.

Using Different Tags: Try less common HTML tags.

Combining Techniques: Combine multiple techniques for a higher chance of success.

Input Field: Enter your payload into the vulnerable input field.
Inspect Source: View the page source code to see how the filter has modified your input. This will help you understand what characters or tags are being blocked.
Browser Developer Tools: Use your browser’s developer tools (usually by pressing F12) to check for JavaScript errors and confirm that your payload is executing.

Context Matters: The effectiveness of these techniques depends on the specific filter being used and where the input is placed in the HTML document.
Browser Differences: Different browsers may handle XSS payloads differently. Test your payload in multiple browsers (Chrome, Firefox, Safari, Edge).
cyber security Best Practices: Always sanitize user inputs on the server-side to prevent XSS vulnerabilities. Client-side filtering is not sufficient.