WebApp 101

Basic Cross Site Scripting (XSS) Bypass Techniques

In some cases, a bit of filtering is involved. The web developer may have added some regular expressions, to prevent simple XSS payloads from working. This post intends to serve as a list of simple bypass techniques to try when attempting to inject XSS payloads.

Tweaking the case of your script tags. Some filters are case sensitive and will not remove the script tag if there are uppercase characters.

Example: <sCript> alert('xss') </sCRIpt>

Placing Script tags within script tags. Some filters do not recursively look through the supplied input to recursively remove script tags.

Example: <sc<script>ript> alert('xss') </scri</script>pt>

Use non script tags, such as an image tag. Some filters do a great job at preventing the use of script tags, but we could use many other tags to deliver payloads.

Example: <img src='zzz.jpg' onerror= alert('xss') ></img>

Using JavaScript’s eval. In some cases, you may be able to insert a script tag, but you’re unable to use a keyword such as “alert”. You can leverage “eval” to concatenate your payload to achieve the same result.

Example: <script>eval("ale" + "rt('xss')")</script>
Note: You may need to replace the plus mark with %2b or it may get treated as a space.

Checking to see if you’re in a script tag already. Sometimes the user supplied input will be directly within a script tag and you won’t need to inject one. You may be able to just view the source code and start talking in Javascript to get malicious.

Example: hacker"; alert('xss'); var $a= "

The above passed input may feed into HTML code that would render as the following: <script> var $a = "hacker"; alert('xss'); var $a= ""; </script>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s