In previous article we learned the basics of Cross Site Scripting (XSS). But the webpage we attacked in previous was way too simple but many websites use XSS filters.
XSS filters are some algorithms or techniques which try to filter user input to stop XSS. Lets face them to understand what are they and how to bypass them.
So I have a webpage here and I am going to enter our classic query i.e. <script>alert(‘XSS’);</script>
So I press the “Go” button but nothing happens. Why? Is this page invulnerable to XSS? Lets check the source code for clues:
Hmm.. (‘XSS’) got changed to (\’XSS\’). Which means the script disabled our single quotes ( ‘ ) by adding a backslash ( \ ) before them. It is a very common filter named magic_quotes_gpc.
This filter disables ‘ and ” only. So how to bypass this filter?
A, B, C etc. these are ASCII characters but they can also be written in unicode format as 65, 66, 67 etc.
So if you write String.FromCharCode(65) it means A, string.FromCharCode(66) means B and so on.
You see? Problem Solved. To convert an ASCII character to Unicode without hassle you can install an addon named Hackbar in your Firefox. Well it is available for Chrome too but we love Firefox.
So now to bypass the filter, we will convert (‘XSS’) to String.FromCodeChar() format by using Hackbar.
To access hackbar press F9 and you will see this awesome thing:
Now click on XSS and choose the String.FromCharCode option and enter whatever you want to convert.
So I converted ‘XSS’ using this function and the result is String.fromCharCode(39, 88, 83, 83, 39).
Now we will enter the following query in the input box:
<script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script>
aaaand boom! It worked:
Ok that was good. Now lets try to inject another target.
I entered <script>alert(‘XSS’);</script> in the search box but nothing happened
Now lets take a look at the source code to see what went wrong
It disabled (escaped) ‘ by adding \.
Hahaha we know how to bypass this right? Great.
Lets enter <script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script> and bypass it.
Damn! Nothing happened. But why? Lets take a look at source code:
Hmmm take a look at the condition of our input and think why our script didn’t get executed.
Want a hint? Look at the color of <script> and tag. They are different right? A pink tag (loosely speaking) means the tag got executed and a normal black tag means the filter sanitized it (blocked it or whatever).
What to do now? Be patient I don’t know what to do. Lets try to solve this problem, together.
So the filter allows the </script> tag but blocks the <script> tag. Maybe the filter blocks the <script> tag because it denotes starting of a script?
I got an idea! I am not sure it will work or not. The trick is to enter <script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script><script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script>
As you can see above I just copied the previous input two times.
Here is my plan, when the filter will see the <script>, it will think an attacker is trying to run a script so the filter will block it. As we saw in the source code, filter doesn’t block </script> tag maybe because it can’t work without <script> or some other reason.
The filter will allow </script> thinking that the “malicious” script entered by the user is over but this time we are going to try
<script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script><script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script>
As you can see I copied the same script two times. If I am right, the filter will block the first script and will allow everything after the </script> tag of the first script.
Now lets see if it works
Whoa! Thats beautiful! It worked perfectly!
Wait I have another idea!
Lets try this
</script><script>alert(String.fromCharCode(39, 88, 83, 83, 39));</script>
The plan is same, </script> will make the filter think the malicious script is over and rest of script will get executed.
I entered our “modified” query in the search box and here is what I got:
Now lets sum up what we learned today:
1. Enter a script if it works then great. If doesn’t get executed then check the source code of the webpage to see what happened with the input.
2. If the filter identifies single quote ‘ and double quote “ and escapes it then you can try to encode it.
3. The rest depends on your creativity and experience gained from trial and error.
We will bypass a lots of other filters interesting filters in upcoming articles.
I hope you enjoyed this article.
Keep learning! Keep XSSing!
Also Read: Bypassing XSS Filters : Part 2