Welcome back reader! I hope you know the basics of XSS and have read my previous article about bypassing XSS flters.
In this article we will perform Cross Site Scripting (XSS) on some websites which use XSS filters.
So without wasting any time lets get straight to the work.
I have a target here and I am going to inject <script>alert(‘XSS’);</script> into the search:
Huh! Nothing happened. Now lets take a look at the source to see what blocked our script.
There is nothing related to our script except then this line:
<input type="text" name="q" class="search" value="<script>alert('XSS');</script>" />
How can we bypass this? Any ideas? If you have some knowledge of HTML then it will help you in many XSS Scenario. So do you know how to bypass this filter?
In my previous article about filter bypass, we saw the source code was making some changes to the input but everything seems fine here. Isn’t it?
<input type=”text” name=”q” class=”search” value=”<script>alert(‘XSS’);</script>” />
Now lets break down the above line to have a better idea of what is happening,
- <input /> is a HTML tag which used to get input from a user.
- type=”text” means the input entered by the user will be treated as text
- name=”q” class=”search” are used to define the input (none of our use)
- value=”<script>alert(‘XSS’);</script>” assigns user input as a value which can be used by the webpage to do things like search something.
Hmmm so any ideas now?
No? Ok I expected that.
When we enter something in the search box, the webpage puts it in value=”our_input”. Then type=”text” forces our input to behave as plaintext (just like normal words).
So as long as our input stays inside the value, our efforts are worthless.
Well bypassing this filter is easy if you apply some common sense and basic knowledge of HTML.
We will inject such a script which closes the value tag and then executes our script. *Thug Life*
Here is what we are going to enter:
Now a question you should ask is why there is “> at the start of our script.
Well our input goes straight to this tag—> value=”our_input”
Now “> will do a magic, it will close the value tag.
See this: value=””>our_script”
Our input stays between ” “ and we just added a ” in our input which will make the tag think the value is contained within ” “ (but it is not lol). So “> bypass the value tag and closes it.
Now lets see how it goes:
I knew it would work! We did it.
Now lets target another website, starting with the most basic payload i.e. <script>alert(‘XSS’);</script>
So I tried and failed…But you know what to do when you fail to inject? Yeah. Check the source code.
So here is the source code:
Looks like the previous example huh?
Lets use “> again to close the input tag.
I did tried closing it but failed.
I tried encoding ‘XSS’ to String.fromCharCode format but failed.
I tried encoding it to HTML characters using Hackbar but failed.
Sometimes developer block the word script as input (its rare). So I tried using <ScRipT>, <scRipt>, <scRiPt> etc. to bypass but failed.
Looks like this website is blocking alert statements or script tag.
So I will use a different payload i.e. “><marquee>our_input</marquee>
And here we go sir:
Now lets sum up what we learned today:
- Enter a payload and check source code see how it handled it our input.
- Try closing tags on the basis of source code. Be creative!
- Try using different encoding techniques.
- If one payload doesn’t work, try another.
That’s all for now. I hope you enjoyed this article about bypassing XSS filters. Keep hacking! Keep XSSing!