Bypass XSS filters in Web Applications

Avoid cross site scripting (XSS) The two main techniques of vulnerability are XSS Filtering and XSS escape . However ,XSS Filtering is not desirable , Because it can usually use clever strategies to avoid .

In this tutorial , We will explain some technologies that hackers may use in their malicious code , To easily bypass Web In the application XSS filter .

XSS How filtration works

XSS Filters run by locating common patterns that can be deployed as cross site scripting attack vectors and deleting such code snippets from user input data .

Regular expressions are most often used to discover patterns . It's very difficult , Because the mode that can represent the cross site script payload can also be legally deployed as web content . therefore , The filter should be able to avoid false positives .

Besides ,Firefox、Google Chrome and Internet Explorer Etc. contemporary Web The browser is in the wrong format HTML Strong fault tolerance in code .

Besides ,JavaScript Very flexible , And the same practicality can often be expressed in various ways . Hackers can avoid common by deliberately building XSS Search pattern code to take advantage of these situations .

In theory , Build a practical and reliable XSS The filter is feasible . For all that , The complexity of filters can be huge , And there is the possibility of hackers inventing a new way to bypass . therefore , Escape is considered to prevent Cross site scripting attacks More directly advocate technology .

XSS Filter bypass technology

Deploy character encoding

Subsequent cross site script vectors deployed to overcome the filter are based on encoded characters that can start the filter .

Hackers use a variety of coding methods , for example HTML Entities and Base64. Coding depends on exactly what needs to be coded . for example ,href label URL Support URL code , But the tag name does not support .

for example , To cheat search is common ASCII Pattern filter , Hackers can replace

and

please remember , Actors can skip any or all semicolons .

If the filter knows how to confirm coding attempts , Then participants can try to cheat it by deploying decimal encoding with padding and skipping semicolons .

for example , The following is equivalent to alert：

Cheat regular expressions

Sometimes , Bypassing the filter only requires finding a deception Regular expressions Technology .

for example , Attackers can use parenthesized false tags , for example ：

If the regular expression is not written correctly , It will assume that the script tag ends with an initial closing parenthesis .

Besides , Notice how to call this file to imitate JPG Image and skill filters for searching for specific file extensions .

Use atypical event handlers

Although many XSS Filters in ordinary event handlers （ Such as onerror、onfocus、onclick、onmouseover or ） Medium test possible JavaScript onclick, But participants can try various other event handlers . for example , Event handlers related to checkboxes , Such as onfinish and onstart.

You can find the most extensive online List of handlers for .

Use atypical delimiters

There are many characters that can be deployed as separators instead of spaces . Modern web browsers will still execute code correctly .

for example , Attackers can deploy single quotes 、 Double and back quotes （ Only applicable to many Web browser ）.

One example is ：

Besides , Hackers may try to use extra angle brackets and slashes （ Comment on ） To cheat the filter .

for example ：

Modern web browsers are usually very tolerant , You can even execute subsequent code correctly ：

Besides , please remember , The initial space after the label name can be replaced with more delimiters . for example , Actors can replace it with a slash ：

Case processing and character insertion

In case the filter is case sensitive , If the opponent deploys a different case than expected , You may be cheated .

for example , Hackers can deploy <sCrIpT>、<SCRIPT> or <Script>.

Besides , modern Web Browsers usually ignore participants in HTML Line breaks inserted in tags 、 Extra space 、 Tabs and carriage returns .

for example , Hackers can use <script[\x09]>、<script[\x10]>、<script[\x13]> or <script   >.

Besides , Hackers can try to insert empty bytes anywhere . for example ：<[\x00]script>.

Labels and properties

Many filters only focus on public tags . therefore , Attackers may deploy unusual tags to bypass them , for example <svg>.

However , Filters often forget to include obvious labels , Such as <body onload=alert(document.cookie)>.

Intentional mistake

Although intentional mistakes may help hackers bypass many filters , But Web browsers still understand the context .

When hackers are in the wrong place 、 When you use quotation marks out of order or just forget to include the relevant quotation marks , This is especially the case .

therefore , One example is ：

therefore , Although the code will still execute , But the value after the unclosed quotation marks may cheat the filter , Because most Web The browser will treat the quotation marks as closed and fix the code internally .

Other intentional errors used to spoof filters may involve including garbage content after the tag name .

Some contemporary web browsers will completely ignore the content . therefore , Opponents can <script/anything> utilize <script>.

Conclusion

As we can see , Hackers can easily bypass Web Cross site script filters in applications . Filter avoidance continues to develop , When new technologies are discovered , It is not surprising that new technologies will appear in the future .

Multiple technologies can be deployed at the same time to improve the avoidance efficiency . for example , Actors can use similar Base64 Coded meta label ：refresh