Hi friends, last time, i explained what is XSS and how an attacker can inject malicious script in your site. As i promised earlier, i am writing this advanced XSS tutorial for you(still more articles will come).
Sometimes, website owner use XSS filters(WAF) to protect against XSS vulnerability.
For eg: if you put the <scirpt>alert("hi")</script> , the Filter will escape the "(quote) character , so the script will become
<script>alert(>xss detected<)</script>Now this script won't work. Likewise Filters use different type of filtering method to give protection against the XSS. In this case, we can use some tricks to bypass the filter. Here i am going to cover that only.
1.Bypassing magic_quotes_gpcThe magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it escapes the every ' (single-quote), " (double quote) and \ with a backslash automatically.
<scirpt>alert("hi");</script> will be filtered as <script>alert(\hi\)</script>.so the script won't work now.
This is well known filtering method, but we can easily bypass this filter by using ASCII characters instead.
For Eg: alert("hi"); can be converted to
String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)so the script will become <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>. In this case there is no "(quotes) or '(single quotes) or / so the filter can't filter this thing. Yes, it will successfully run the script.
How to convert to ASCII values?
There are some online sites that converts to ASCII character. But i suggest you to use Hackbar Mozilla addon .
After installing hackbar add on ,press F9. It will open the small box above the url bar. click the XSS->String.fromCharCode()
copy the code into the <script></script> inside and insert in the vulnerable sites
hxxp://vulnerable-site/search?q=<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>
2.HEX Encodingwe can encode our whole script into HEX code so that it can't be filtered.
For example: <script>alert("Hi");</script> can be convert to HEX as:
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3eNow put the code in the vulnerable site request.
hxxp://vulnerable-site/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3eConverting to HEX:
This site will convert to hex code: http://centricle.com/tools/ascii-hex/
3.Bypassing using ObfuscationSome website admin put the script,alert in restricted word list. so whenever you input this keywords, the filter will remove it and will give error message like "you are not allowed to search this". This can bypassed by changing the case of the keywords(namely Obfuscation).
This bypass technique rarely works but giving trial is worth.
4. Closing TagSometimes putting "> at the beginning of the code will work.
This will end the previous opened tag and open our script tag.
Conclusion:From above article, it is clear that XSS filters alone not going to protect a site from the XSS attacks. If you really want to make your site more secure, then ask PenTesters to test your application or test yourself.
Also there are lot of different filter bypassing technique, i just covered some useful techniques for you.