How can i bypass this XSS filter?

I found an XSS in example.com website, however i’m not able to make it work as there’s a filter in place. The filter throws a 403 error when i insert common xss payloads. It also blocks the following

  • <script> tags are blocked

  • alert, prompt, confirm & write are blocked

  • every valid Window Event Attributes are blocked

  • Closed tags are blocked, for example <a href="1" works while <a href="1">a is removed

I was able to inject the following payload

<test/onxsstest="console.log(1111)"

but obviously this code doesn’t works as onxsstest doesn’t exist.

What payloads can i use to bypass this xss filter?

Hi @Randomizer.

The filter seems to be using a blacklist. Which is great for you.
If <test/onxsstest="console.log(1111)" is valid, then keep trying different tags and events. You can get a list of different events from here https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers, here https://developer.mozilla.org/en-US/docs/Web/API/Element#Events and here https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement#Events. And a list of elements here https://developer.mozilla.org/en-US/docs/Web/HTML/Element.
When you find some combinations that work, then it’s a matter or building the proof of concept or finding the combination of element and event that requires less user interaction.

Good luck!

1 Like