XSS Filter Bypass Guide

TL;DR

This guide shows how to bypass a simple XSS filter that blocks common tags like <script> and <img src=x onerror=alert(1)>. We’ll use case-insensitive HTML, attribute encoding, and event handlers.

Understanding the Filter

The filter likely looks for known XSS patterns in a case-sensitive manner. It might also block certain characters or combinations of characters. The goal is to find ways to execute JavaScript code without triggering these filters.

Bypass Techniques

1. Case Insensitivity: HTML tags are generally case-insensitive. Try variations in capitalization.
   • Instead of <script>, try <ScRiPt> or <SCRIPT>.

   <SCRIPT>alert(1)</SCRIPT>

2. Attribute Encoding: Encode characters within HTML attributes.
   • Use HTML entities to represent characters like ', ", and >.
   • For example, instead of onclick="alert(1)" try onclick="alert(1)".

   <img src=x onerror="alert(1)">

3. Event Handlers: Use different event handlers.
   • Common event handlers include onload, onerror, onmouseover, and onclick.
   • The onerror handler is often useful because it executes when an image fails to load (which is easy to arrange).

   <img src="invalid-image.jpg" onerror=alert(1)>

4. Tag Attributes: Exploit tag attributes.
   • Some tags allow JavaScript execution within their attributes, even if the main tag is blocked. For example, <body onload=alert(1)> might work.

   <body onload=alert(1)>

5. Using Different Tags: Try less common HTML tags.
   • Tags like <svg>, <math> or <details> might be allowed and can execute JavaScript.

   <svg onload=alert(1)>

6. Combining Techniques: Combine multiple techniques for a higher chance of success.
   • For example, use case-insensitive tags with attribute encoding.

   <ScRiPt>alert("XSS")</SCRIPT>

Testing

1. Input Field: Enter your payload into the vulnerable input field.
2. Inspect Source: View the page source code to see how the filter has modified your input. This will help you understand what characters or tags are being blocked.
3. Browser Developer Tools: Use your browser’s developer tools (usually by pressing F12) to check for JavaScript errors and confirm that your payload is executing.

Important Considerations

• Context Matters: The effectiveness of these techniques depends on the specific filter being used and where the input is placed in the HTML document.
• Browser Differences: Different browsers may handle XSS payloads differently. Test your payload in multiple browsers (Chrome, Firefox, Safari, Edge).
• cyber security Best Practices: Always sanitize user inputs on the server-side to prevent XSS vulnerabilities. Client-side filtering is not sufficient.