Skip to main content

Xssing Web Part - 1

Xssing Web Part - 1


I'm thinking about sharing everything I know about XSS :) However it's not possible to put all methods in one single post so I would be making several parts of "Xssing Web". Mostly I would be talking about how to bypass XSS filters and how to turn most of non exploitable XSS to exploitable.

All of you might have encountered one such end point that takes URL as parameter and redirects to it using javascript like :


In this post I would be talking about how to get XSS in such situations and how to bypass their filters.

First thing we can do here is try 'javascript' protocol or 'data' URI scheme.


It would execute 'alert(1)' function.

From now onwards I will only be talking about 'javascript' protocol since same methods can be applied on 'data' URI as well.

Let's start,

What if 'javascript:' string is blocked??

Do you know strings in the javascript can be encoded in hex format also??

Format 1 : \x[HEX]
Format 2 : \u00[HEX]

Format 1 : javascript: --> \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a
Format 2 : javascript: --> \u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a

 Bypasses :



What if  'javascript:' and '\x'  and '\u' is blocked??

 Do you know we can continue string to newline by ending string with backslash character?? ;)

 Bypass : java\[0x0a]script:alert(1)

Here [0x0a] is new line character. You can pass newline character as input by "%0a" in URL.

These are few alternatives to newline character which you can try if newline character is also blocked :

[0x09] <---- Horizontal Tab
[0x0d] <---- Carriage Return

Ok now what if 'javascript:' and '\x'  and '\u' and [0x0a,0x09,0x0d] are also blocked ?

 Do you know there are control characters in JS too??

Here are few control characters that we can use to bypass the filter :

\t  <---- Horizontal Tab
\n <---- Newline
\r <---- Carriage Return

Bypass :  ja\nva\tscript\r:alert(1)

You can use any one or all of this control chars anywhere in string ;)

Note : Sometimes the filter itself converts 0x0a,0x09,0x0d into \n,\t,\r so you can take advantage of that also ;)

 Now let's assume 'javascript:' and '\x'  and '\u' and [0x0a,0x09,0x0d] and [\n,\t,\r] are blocked??

 Ok do you know escape character??

What happens if we try to escape any character that does not form a control char (\n,\t,\b,\v,\f,\r and of course \x,\u too)  ??

 The answer is NOTHING.

So we can put escape char in front of any character except n,t,b,v,f,r,x,u and digits.

Bypass : \j\av\a\s\cr\i\pt\:\a\l\ert\(1\)

One of my friend @OsandaMalith found one more bypass. [You can read his awesome blog here

We can encode string in octal as well : 

Format 1 : \[OCTAL] 

Format 1 : javascript ---> \152\141\166\141\163\143\162\151\160\164
Bypass : \152\141\166\141\163\143\162\151\160\164\072alert(1)

That's enough for today ;)
Ref :


Post a comment

Popular posts from this blog

JSP ContextPath Link Manipulation - XSS

This post is about how to manipulate resource links of HTML elements (script, img, link, etc) when getContextPath  method is used to obtain base path of resources. With the ability to manipulate links you can do XSS, CSS Injection, etc. Basically we are going to use path parameters to manipulate context path such that links would point to attacker's domain. There's a good blog that talk about the similar issues : However this post is more about manipulating context path to hijack resource links of HTML elements .  So let's have a look at a simple JSP page ( test.jsp ) Ref : This page just loads some resources like script, image, css and that's it. It doesn't take any direct input from user but it is using value returned by r equest.getContextPath() as base path to resources link. What can we do here? Let's try to contro

U-XSS in OperaMini for iOS Browser (0-Day) [CVE-2019-13607]

TL;DR :  The latest version (16.0.14) of  Operamini for iOS browser is affected by an Universal-XSS vulnerability which can be triggered by performing navigation from target domain to attacker controlled domain. When attacker controlled domain returns " javascript:code_here " in " location " header then browser executes the javascript code in the context of target domain instead of attacker domain. This vulnerability is yet not fixed by Opera team.  Update [15 July 2019] :  CVE-2019-13607 is assigned to this vulnerability. So while playing with Operamini browser I noticed that when a navigation to " javascript " protocol occurs via " location " header then browser executes the provided javascript code. For example if the value of " location " header is " javascript:alert() " then javascript code "alert()" gets executed by the browser. Normally browsers prevent navigation to " javascript: " URL