How can i bypass this XSS filter?

Randomizer · May 22, 2019, 9:04pm

I found an XSS in example.com website, however i’m not able to make it work as there’s a filter in place. The filter throws a 403 error when i insert common xss payloads. It also blocks the following

<script> tags are blocked
alert, prompt, confirm & write are blocked
every valid Window Event Attributes are blocked
Closed tags are blocked, for example <a href="1" works while <a href="1">a is removed

I was able to inject the following payload

<test/onxsstest="console.log(1111)"

but obviously this code doesn’t works as onxsstest doesn’t exist.

What payloads can i use to bypass this xss filter?

stefanofinding · May 26, 2019, 5:16am

Hi @Randomizer.

The filter seems to be using a blacklist. Which is great for you.
If <test/onxsstest="console.log(1111)" is valid, then keep trying different tags and events. You can get a list of different events from here https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers, here https://developer.mozilla.org/en-US/docs/Web/API/Element#Events and here https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement#Events. And a list of elements here https://developer.mozilla.org/en-US/docs/Web/HTML/Element.
When you find some combinations that work, then it’s a matter or building the proof of concept or finding the combination of element and event that requires less user interaction.

Good luck!

Appills · September 12, 2019, 5:18pm

You have plenty of options:

See if you can get a <table>, <input>, or <img> in there - if you can, its definitely interpolating your input. If you can get a <img> in there, you can try the src attribute:

" <img src=">x" <!-- /"

src="javascript:throw new Error();"

or see if it will let you load from base64 data: schemes. There’s some payloads floating around out there for xml/svg that will execute javascript.

smackerdodi · February 8, 2020, 11:17pm

is there is any resources for the last part of your comment about xml/svg executing javascript ??
thanks in advanced

oliveryuan · February 26, 2020, 2:55am

i tried it but it becomes Something.execute("");alert(“xss”); }, true); Any other way you can think of.

abbu_abhishek_2000 · April 6, 2021, 5:54am

“<>” and “()” tags are blocked . Is there any way to bypass it??

Topic		Replies	Views
How to bybass ASP.NET server XSS filter? Web Hacking	4	10186	July 4, 2022
XSS single qoute bypass help Web Hacking	3	2713	December 28, 2021
Need help with xss Web Hacking	1	2432	August 10, 2020
Xss inside Param tag Web Hacking	5	1705	February 13, 2020
Xss reflected regarding Starter Zone	8	1749	July 29, 2020

How can i bypass this XSS filter?

Related topics