Understanding XSS filters

CASE 1

You use the payload <script>alert(0)</script> and notice only alert(0) is reflected.

Block: HTML Tag, < >, /,

What to try

  • They are simply filtering certain html tags?

  • Trying payloads such as <script src=// (without closing the tag), is <script filtered regardless?

  • In this case, does (not a real tag, not filtered?) work?

  • then use <notreal onpointerrawupdate=alert0> which executes on Firefox.

-------------------------------------------------------------

CASE 2

You use the payload <script>alert(0)</script> and notice &lt;script&gt;alert(0)&lt;/script&gt; is reflected.

Encode: < > to &lt; &gt;

What to try

  • It is perhaps unlikely this parameter will be vulnerable to XSS, however, do not rule it out.

  • Test for different encodings such as %3Cscript%3Ealert(0)%3C%2Fscript%3E as the filter may be looking for <, but encoding bypasses the checks.

  • You can also try providing < yourself (but encoded, so %26lt%3Bscript%26gt%3Balert(0)%26lt%3B%2Fscript%26gt%3B). The server may process it as valid HTML on response.

-------------------------------------------------------------

CASE 3

You use the payload "><script>alert(0)</script>

and notice &qout;><script>alert(0)</script> is reflected.

Encode: " to &qout;

What to try

-------------------------------------------------------------

CASE 4

The payload "><script>alert(0)</script>

only returns "scriptalert(0)/ and strips everything else.

Remove < >

  • We don't always need the < tag to get XSS. As long as it's reflected on a HTML tag (<input value="ourinput">) and you can control some characters such as ' and " then we should be able to use any of the following payloads: "onfocus="alert(0)" k="`, "onmouseover=alert(0), "onmousenter="alert(0)" k=", It would be reflected as <input value=""onmouseover=alert(0)> which would be valid HTML. You can find a list of event handlers from http://www.w3schools.com/jsref/dom_obj_event.asp.

  • One common problem researchers find is when on{} is blacklisted/filtered. It all depends on where it is reflected but I find trying the payload onxss= can determine if they are filtering on*, or if just something like onfocus= is blacklisted.

  • For the first one I recommend trying things like on%0dmouseover= (you can also use %09, %0C, %00 here), "onmouseover%3D, onmouseover=alert(0)"= (I had an experience where a WAF would allow for anything aslong as the payload ended in =). However, if it's the latter then I recommend running through the list above.

-------------------------------------------------------------

Beating WAFs

The last peice of advice i'd like to give researchers faced with a filter/waf when hunting for XSS is to remember the WAF is typically just looking for certain strings. It might even be running on a blacklist and by using things like "%0d" (for example <svg%0donload=prompt(1)>), it can sometimes bypass it and render your XSS. Understand what the filter is looking for and start fuzzing/testing. I've noticed java%09script: will bypass CloudFlare WAF in certain cases.

Previousxss 1NextEffective Payload Generation Method

Last updated