Sometimes a simple XSS query just won't
do the trick. The reason your query isn't working, is because the
website has a WAF or Filter set in place. A filter will block as many
XSS and SQLi queries as possible. In this case, we're dealing with XSS.
There are many ways on bypassing XSS filters, but I will only explain a few.
There are many ways on bypassing XSS filters, but I will only explain a few.
Hex Bypassing
With blocked characters like >,
<, and /, it is quite difficult to execute an XSS query. Not to
worry, there's always a solution :) You can change your characters, into
Hex. A Hex of a certain character, is basically the character, but in a
different format. These should help you out:
> = %3c
< = %3c
/ = %2f
> = %3c
< = %3c
/ = %2f
http://centricle.com/tools/ascii-hex/
You want to hex the script
"><script>alert("XSS")</script>
Now add this to your vulnerable site like below:
http://www.vulnXSSsite.com/search.php?q=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%58%53%53%22%29%3c%2f%73%63%72%69%70%74%3e
ASCII Bypassing
With an ASCII encryption, we can use
the character ". Which is blocked quite a bit. This is one of the most
common XSS Filter bypasses of all time. A script that you would need to
encrypt, would look like this:
NOT WORKING SCRIPT
WORKING SCRIPT
To encrypt your little part of a script, go to this site: http://www.wocares.com/noquote.php I use that site, and find it quite useful.
NOT WORKING SCRIPT
Code:
<script>alert("XSS")</script>WORKING SCRIPT
Code:
<script>alert(String.fromCharCode(88,83,83))</script>To encrypt your little part of a script, go to this site: http://www.wocares.com/noquote.php I use that site, and find it quite useful.
Case-Sensitive Bypassing
This kind of bypass rarely works, but
it's always worth a shot. Some filters are set in place to detect
certain strings, however, the filter's strings that are blocked are CASE
SENSITIVE. So all we need to do, is execute a script, with different
sizes of characters. This bypass, would look like this:
You can also mix that with ASCII encryption if you like. This kind of bypass only works on really stupid filters, or really REALLY old ones.
Code:
<ScRiPt>aLeRt("XSS")</ScRiPt>You can also mix that with ASCII encryption if you like. This kind of bypass only works on really stupid filters, or really REALLY old ones.
No comments:
Post a Comment