Hacking Tutorials XSS

Bypassing XSS Filters : Part 2

Welcome back reader! I hope you know the basics of XSS and have read my previous article about bypassing XSS flters.
In this article we will perform Cross Site Scripting (XSS) on some websites which use XSS filters.
So without wasting any time lets get straight to the work.
I have a target here and I am going to inject <script>alert(‘XSS’);</script> into the search:
xss cheat sheet
Huh! Nothing happened. Now lets take a look at the source to see what blocked our script.
There is nothing related to our script except then this line:
<input type="text" name="q" class="search" value="<script>alert('XSS');</script>" />
xss cheat sheet
How can we bypass this? Any ideas? If you have some knowledge of HTML then it will help you in many XSS Scenario. So do you know how to bypass this filter?
In my previous article about filter bypass, we saw the source code was making some changes to the input but everything seems fine here. Isn’t it?

<input type=”text” name=”q” class=”search” value=”<script>alert(‘XSS’);</script>” />

Now lets break down the above line to have a better idea of what is happening,

  1. <input /> is a HTML tag which used to get input from a user.
  2. type=”text” means the input entered by the user will be treated as text
  3. name=”q” class=”search” are used to define the input (none of our use)
  4. value=”<script>alert(‘XSS’);</script>” assigns user input as a value which can be used by the webpage to do things like search something.

Hmmm so any ideas now?
No? Ok I expected that.
When we enter something in the search box, the webpage puts it in value=”our_input”. Then type=”text” forces our input to behave as plaintext (just like normal words).
So as long as our input stays inside the value, our efforts are worthless.
Well bypassing this filter is easy if you apply some common sense and basic knowledge of HTML.
We will inject such a script which closes the value tag and then executes our script. *Thug Life*
Here is what we are going to enter:
xss filter bypass
Now a question you should ask is why there is “> at the start of our script.
Well our input goes straight to this tag—> value=”our_input”
Now “> will do a magic, it will close the value tag.
See this: value=””>our_script”
Our input stays between ” “ and we just added a ” in our input which will make the tag think the value is contained within ” “ (but it is not lol). So “> bypass the value tag and closes it.
Now lets see how it goes:
filter bypass cheat sheet
I knew it would work! We did it.
Now lets target another website, starting with the most basic payload i.e. <script>alert(‘XSS’);</script>
xss step by step tutorial
So I tried and failed…But you know what to do when you fail to inject? Yeah. Check the source code.
So here is the source code:
xss bypass filter tutorial
Looks like the previous example huh?
Lets use “> again to close the input tag.
I did tried closing it but failed.
I tried encoding ‘XSS’ to String.fromCharCode format but failed.
I tried encoding it to HTML characters using Hackbar but failed.
Sometimes developer block the word script as input (its rare). So I tried using <ScRipT>, <scRipt>,  <scRiPt> etc. to bypass but failed.
XSS tutorial step by step
Yep! All we did till now is to use that alert statement but HTML and JavaScript has many more function. As a result there are many different payloads too.
Looks like this website is blocking alert statements or script tag.
So I will use a different payload i.e. “><marquee>our_input</marquee>

And here we go sir:
hack website with XSS
Mission Completed!
Now lets sum up what we learned today:

  1. Enter a payload and check source code see how it handled it our input.
  2. Try closing tags on the basis of source code. Be creative!
  3.  Try using different encoding techniques.
  4. Knowledge of JavaScript and HTML helps a lot in XSS.
  5. If one payload doesn’t work, try another.

That’s all for now. I hope you enjoyed this article about bypassing XSS filters. Keep hacking! Keep XSSing!

Also Read: Cross Site Scripting With JavaScript Event Handlers

About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

1 Comment

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.