These days most of the secured websites make filters to don’t allow cross site scripting attacks, however, we can bypass these filters by using the methods shown below. Sometimes, website owner uses cross site scripting filters (WAF) to protect against XSS vulnerability. We will learn, how to bypass these cross site scripting filters.
- Bypass magic_quotes_gpc (if it’s enabled )
- Bypass with encryption in html
- Bypass with Obfuscation
- Bypass with easy trying method
1. Bypass magic_quotes_gpc
The magic_quotes_gpc=ON is a PHP setting, it escapes the every (‘) single quote, (“) double quote with a (\) backslash automatically. For example, <scirpt>alert(“hi”);</script> will be filtered as <script>alert(\hi\)</script>. so the script won’t work now. You can use Hackbar extension to create the payloads with encryption. To bypass it we use :
We will write our code, in the () encrypted in ASCII like these:
String.fromCharCode(088, 083, 083)
Here we have converted the word XSS in ascii and now our payload is ready like these:
<script>alert(String.fromCharCode(088, 083, 083))</script>
Above payload will return the word ‘XSS’ and We have bypassed magic_quotes_gpc successfully.
2. Bypass with encryption in html
This method is simple. Here we will encrypt our payload in full HTTP
Our code is <script>alert(‘XSS’)</script> and after the encryption it will be like these:
Now you can inject the above payload as we have bypassed the filters.
3. Bypass with Obfuscation
Obfuscation is simple. This filter doesn’t allows these words: script, alert
To bypass it, we will change “script” with “sCriPt”, and “alert” with “ALerT” and after that your payload will look like these:
<sCriPt>ALerT(“i am here”)</sCriPt>
and we’ve bypassed the filter.
4. Bypass with easy trying method
Generally, this method lies in the search boxes, we just add (“>) at the beginning of the payload like these:
and we’ve bypassed the filter with the above payload. You can try above four methods in Firefox because XSS Auditor is a built-in function of Chrome and Safari designed to mitigate Cross-site Scripting (XSS) attacks. XSS Auditor takes a black list approach to identify dangerous characters and tags supplied in request parameters. It also attempts to match query parameters with content to identify injection points. If the query parameter can’t be matched to content in the response, the auditor will not be triggered. Below is the example of the file upload XSS.