[Part 2] What is XSS and Example of Filters & Bypasses
Hi again :P, let's continue our topic about XSS bugs, read part one if you didn't.
Let's start with first filter, what if you found that the website blocked alert, confirm, prompt, and write what you will do in this case? just leave it .... I'm kidding :P you can use string concatenation and a magical function on JS and it's eval() what is eval do? it can be used to executes a string as JS codes and it accepts a string so I can add the code as parts like aler and t and (1337) every one of these is a part of the string i will use string concatenation to make it a single string and will pass it to eval function to execute it the payload will be like
eval("aler"+"t"+"(1337)")
this will execute alert(1337) it will first concatenate the string and will execute it and the filter will not notice it because it searches for alert.
this filter is everywhere I think almost 90 of my XSS is using this one, what if the tags is deleted and your value add on a handler on a tag? it's easy we will use handlers too, some websites blocked the tags but forget the values which added to the handlers on exists tags what is this mean? let's say that I have a search parameter called q and this value is added to a tag like that
<input type="text" name="q" value="your value here">
what if I could get out of value handler, you will try to close the tag using this "> but you will find that this > is blocked so now you will use handlers like onmouseover, onfocus, and onload there is a lot of these handlers you can get it from Google I will use first handler on this payload " onmouseover="alert(1337) this payload will pop-up with value 1337 when the mouse moves on the input tag and the code will be
<input type="text" name="q" value="string" onmouseover="alert(1337)">
the third looks like the first case but here the eval function is blocked too :( what should I do here? I can use something Cool and it is JSFuck you can encode your payload using the website of this encode just write it on Google search now I will use a script tag to do it and the payload will be like
<script>[JSFuck encode here]</script>
I didn't add the encoding because it's very long and the payload will be executed.
now how I can solve this bug? if you using PHP you can easily use this function
htmlspecialchars(string);
this function will encode the special characters and it will not be exploitable.
in the end, I will say it again this is not all of the filters and bypasses I just wanna share some filters and again you can create your own payload and think out of the box,
see you soon, Goodbye
where is part one link
ReplyDeletehttps://flex0geek.blogspot.com/2019/10/what-is-xss-and-example-of-filters.html
Deletemhamedrmadan666666
ReplyDeleteMohamed Ramdan
ReplyDeletegreat flex xD
ReplyDelete