I found an endpoint that has a parameter which value is directly displayed between span tags in the website. However, the server (ASP.NET Version 4.7) does filter the param value and throws an exception when it detects a potential XSS:
A potentially dangerous Request.QueryString value was detected from the client (response=“alert(1)</sc…”).
I played a little bit around and found some interesting things about the filter, however I could not bypass it yet. Hope you could give me some inspiration.
No characters are replaced by the filter. Thus, characters like <>/*'" etc are allowed. The filter throws an exception when it detects input in form of <[letters]> but not when I try numbers instead of letters like <1> or putting a space between like < tag>. So < script>alert(1);< /script> is not filtered and displayed in the source code but not executed because of the spaces. Also <1 onload=“alert(1);”/> passed the filter but is not executed as well. Since charset is uft8 I tried \x ecoding like
\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x31\x29\x3b\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e
and percent encoding like
%3cscript%3ealert%281%29%3b%3c%2fscript%3e
Both were transferred into plain text and threw an exception.
I feel like there is a way to bypass the filter but ran out of ideas. Any hint?