Hacking Tutorials XSS

Bypassing XSS Filters : Part 1

In previous article we learned the basics of Cross Site Scripting (XSS). But the webpage we attacked in previous was way too simple but many websites use XSS filters.

XSS filters are some algorithms or techniques which try to filter user input to stop XSS. Lets face them to understand what are they and how to bypass them.
So I have a webpage here and I am going to enter our classic query i.e. <script>alert(‘XSS’);</script>

xss filter bypass
So I press the “Go” button but nothing happens. Why? Is this page invulnerable to XSS? Lets check the source code for clues:

xss filter bypass

Hmm.. (‘XSS’) got changed to (\’XSS\’). Which means the script disabled our single quotes ( ) by adding a backslash ( \ ) before them. It is a very common filter named magic_quotes_gpc.
This filter disables and only. So how to bypass this filter?
Well we will take advantage of a JavaScript function named String.FromCharCode(). It is a JavaScript function which converts ASCII characters to Unicode and vice versa.
A, B, C etc. these are ASCII characters but they can also be written in unicode format as 65, 66, 67 etc.
So if you write String.FromCharCode(65) it means A, string.FromCharCode(66) means B and so on.
The single quote (  ) is an ASCII too and its value in Unicode is 39. So whenever we will enter String.FromCharCode(39), JavaScript will convert it to automatically.

You see? Problem Solved. To convert an ASCII character to Unicode without hassle you can install an addon named Hackbar in your Firefox. Well it is available for Chrome too but we love Firefox.
So now to bypass the filter, we will convert (‘XSS’) to String.FromCodeChar() format by using Hackbar.
To access hackbar press F9 and you will see this awesome thing:
hackbar xss
Now click on XSS and choose the String.FromCharCode option and enter whatever you want to convert.
So I converted ‘XSS’ using this function and the result is String.fromCharCode(39, 88, 83, 83, 39).
Now we will enter the following query in the input box:

<script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script>

aaaand boom! It worked:
xss filter bypass
Ok that was good. Now lets try to inject another target.
I entered <script>alert(‘XSS’);</script> in the search box but nothing happened
bypass XSS filter
Now lets take a look at the source code to see what went wrong
XSS filter
It disabled (escaped) by adding \.
Hahaha we know how to bypass this right? Great.
Lets enter <script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script> and bypass it.
Damn! Nothing happened. But why? Lets take a look at source code:
XSS source code
Hmmm take a look at the condition of our input and think why our script didn’t get executed.
Want a hint? Look at the color of <script> and tag. They are different right? A pink tag (loosely speaking) means the tag got executed and a normal black tag means the filter sanitized it (blocked it or whatever).
What to do now? Be patient I don’t know what to do. Lets try to solve this problem, together.
So the filter allows the </script> tag but blocks the <script> tag. Maybe the filter blocks the <script> tag because it denotes starting of a script?
I got an idea! I am not sure it will work or not. The trick is to enter <script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script><script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script>

As you can see above I just copied the previous input two times.
Here is my plan, when the filter will see the <script>, it will think an attacker is trying to run a script so the filter will block it. As we saw in the source code, filter doesn’t block </script> tag maybe because it can’t work without <script> or some other reason.
The filter will allow </script> thinking that the “malicious” script entered by the user is over but this time we are going to try

<script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script><script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script>

As you can see I copied the same script two times. If I am right, the filter will block the first script and will allow everything after the </script> tag of the first script.
Now lets see if it works

xss cheat sheet filter bypass
Whoa! Thats beautiful! It worked perfectly!
Wait I have another idea!
Lets try this

</script><script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script>

The plan is same, </script> will make the filter think the malicious script is over and  rest of script will get executed.
I entered our “modified” query in the search box and here is what I got:
xss cheat sheet filter bypass
Yeah! Wonderful!

Now lets sum up what we learned today:

1. Enter a script if it works then great. If doesn’t get executed then check the source code of the webpage to see what happened with the input.

2. If the filter identifies single quote and double quote and escapes it then you can try to encode it.

3. The rest depends on your creativity and experience gained from trial and error.

We will bypass a lots of other filters interesting filters in upcoming articles.
I hope you enjoyed this article.
Keep learning! Keep XSSing!

Also Read: Bypassing XSS Filters : Part 2

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.