TL;DR
This guide shows how to bypass a simple XSS filter that blocks common tags like <script> and <img src=x onerror=alert(1)>. We’ll use case-insensitive HTML, attribute encoding, and event handlers.
Understanding the Filter
The filter likely looks for known XSS patterns in a case-sensitive manner. It might also block certain characters or combinations of characters. The goal is to find ways to execute JavaScript code without triggering these filters.
Bypass Techniques
- Case Insensitivity: HTML tags are generally case-insensitive. Try variations in capitalization.
- Instead of
<script>, try<ScRiPt>or<SCRIPT>.
<SCRIPT>alert(1)</SCRIPT> - Instead of
- Attribute Encoding: Encode characters within HTML attributes.
- Use HTML entities to represent characters like
',", and>. - For example, instead of
onclick="alert(1)"tryonclick="alert(1)".
<img src=x onerror="alert(1)"> - Use HTML entities to represent characters like
- Event Handlers: Use different event handlers.
- Common event handlers include
onload,onerror,onmouseover, andonclick. - The
onerrorhandler is often useful because it executes when an image fails to load (which is easy to arrange).
<img src="invalid-image.jpg" onerror=alert(1)> - Common event handlers include
- Tag Attributes: Exploit tag attributes.
- Some tags allow JavaScript execution within their attributes, even if the main tag is blocked. For example,
<body onload=alert(1)>might work.
<body onload=alert(1)> - Some tags allow JavaScript execution within their attributes, even if the main tag is blocked. For example,
- Using Different Tags: Try less common HTML tags.
- Tags like
<svg>,<math>or<details>might be allowed and can execute JavaScript.
<svg onload=alert(1)> - Tags like
- Combining Techniques: Combine multiple techniques for a higher chance of success.
- For example, use case-insensitive tags with attribute encoding.
<ScRiPt>alert("XSS")</SCRIPT>
Testing
- Input Field: Enter your payload into the vulnerable input field.
- Inspect Source: View the page source code to see how the filter has modified your input. This will help you understand what characters or tags are being blocked.
- Browser Developer Tools: Use your browser’s developer tools (usually by pressing F12) to check for JavaScript errors and confirm that your payload is executing.
Important Considerations
- Context Matters: The effectiveness of these techniques depends on the specific filter being used and where the input is placed in the HTML document.
- Browser Differences: Different browsers may handle XSS payloads differently. Test your payload in multiple browsers (Chrome, Firefox, Safari, Edge).
- cyber security Best Practices: Always sanitize user inputs on the server-side to prevent XSS vulnerabilities. Client-side filtering is not sufficient.