Bypass Cross-site scripting (XSS) filtering using HEX Encoding

by do son · Published · Updated

Cross-site scripting (XSS) is a common vulnerability in Web vulnerability analysis. In many cases, it was easy to enter without filtering easily, but most of the services analyzed had strong filtering. However, there are rules in this filtering as well, and hackers can easily bypass filtering rules. In this circumstance, I would like to see a filtering bypass through HEX Encoding.

1. What is HEX Encoding?

HEX encoding is a way to represent hex data on the web via string “& # x”. It is called hex encoding to make it comfortable.

2. Insert simple XSS filter and general XSS syntax
The principle is simple. If you append 41 & # x to the hex value representing A, it means & # x41, that is, text A.
Most XSS filters use the special characters & lt; & Gt; Etc. I’d like to convert to an attacker being able to use the script,
this section is verified if the filtering for user input, an attacker can bypass the filtering rules by using the encoded data.

For example, consider the following XSS filtering function.

<?
function XSSFilter($inputString)
{
$output = str_replace(“<“,”&lt;”,$inputString);
$output = str_replace(“>”,”&gt;”,$output);
return $output;
}
?>

<?
$sqlIn = $_GET[‘title’];
$sqlIn = XSSFilter($sqlIn);
db_connect($sqlIn);

?>

It’s a code that has been written roughly, so it may not actually run. However, in the above case, if you send a value to the title parameter with get and write to the post through db_connect <> Is filtered for the string. Since most bulletin boards require tagging, we usually apply the XSS filter in the insert section.

/?title=<script>alert(1)</script> When you put the attack syntax in the form of the following, the posts will be filtered and appear as below.
&lt;script&gt;alert(45)&lt;/script&gt;

3. XSS through HEX Encoding
Let’s try inserting the XSS syntax in a slightly different way than the one above. In the same way, we put the script syntax in the title parameter, but we put it in hex.
/?title=%26%23x003C;script%26%23x003E;alert(1)%26%23x003C;/script%26%23x003E;

The XSSFilter function that is created in the above transmission is not filtered by the str_replace function. If the hex encoding is released when the DB is saved and exposed on the bulletin board, the following complete script syntax appears.

<script>alert(1)</script>

4. Bypassing XSS

In fact, I do not think there is anything about XSS bypassing methods. By default, the encoding is widely known, but actually I think the most important thing that seems to be a function of the XSS filter rules. BBT (BlackBoxTest) in the inferred rules through repeated testing and speculation, etc. because you can not see the code, you can succeed in bypassing the rules XSS attacks hayeoyaman find loopholes in it.

Tags: webapp pentestXSS