How can i bypass this XSS filter?

I found an XSS in website, however i’m not able to make it work as there’s a filter in place. The filter throws a 403 error when i insert common xss payloads. It also blocks the following

  • <script> tags are blocked

  • alert, prompt, confirm & write are blocked

  • every valid Window Event Attributes are blocked

  • Closed tags are blocked, for example <a href="1" works while <a href="1">a is removed

I was able to inject the following payload


but obviously this code doesn’t works as onxsstest doesn’t exist.

What payloads can i use to bypass this xss filter?

Hi @Randomizer.

The filter seems to be using a blacklist. Which is great for you.
If <test/onxsstest="console.log(1111)" is valid, then keep trying different tags and events. You can get a list of different events from here, here and here And a list of elements here
When you find some combinations that work, then it’s a matter or building the proof of concept or finding the combination of element and event that requires less user interaction.

Good luck!

1 Like