Cross site scripting a.k.a XSS is assumed to be a low level threat and often avoided by web developers during development and deployment of web applications. But the past years passed have faced the Tsunamis of XSS, making this attacking methodology topping the chart of OWASP security threats at second position. The impacts of this vulnerability are assumed as minimal and when a proper coordinated attack is performed, the aftermaths are maximum and fatal. During some info-sec projects, we all must have faced the situations where its very hard to make client agree about the hidden power of XSS. Also, if made aware, the patch is done incompletely i.e. the filters can be bypassed. Today we will have a look on some workarounds that would help in bypassing XSS filters.
Bypassing using encoding: This is one of the most practiced method to bypass XSS. The concept is clear and simple, encode the javascript and inject it into URL to bypass filter. Below is a small function in javascript that we made for encoding:
function urlEncode(str){
str=escape(str);
str=str.replace(new RegExp(‘\\+’,'g’),’%2B’);
return str.replace(new RegExp(‘%20′,’g'),’+');
Next we use this code in an html file to encode the script to be injected:
script to be encoded in the box
encoded script
This method can be used to bypass XSS filters successfully.
Bypassing using obfuscation: We have seen use of obfuscation in programming concepts etc. In some cases, the website developers put the keywords like script,alert in restricted word list.So whenever any attacker tries inputting these keywords, the filter will remove it and will give error message like “you are not allowed to search this”. This filtering approach can be bypassed by changing the case of the keywords. Take for eg. <script>alert(‘xss’)</script> can be changed to <ScRiPt>AlErt(‘xss’)</ScRiPt>
Bypassing magic_quotes_gpc : Many a times magic_quotes_gpc is been put on use. During those times, the server doesn’t allow, “, / and ‘. The classic <scirpt>alert(“xss”);</script> will be filtered as <script>alert(\xss\)</script>. Therefore the script injected won’t work now. This widely used filtering concept can be bypassed using ASCII characters. We write our code in the () crypted in ASCII. For eg. the classic script would appear like <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>
Bypassing using close tag : Many a times, this workaround proves to be one of the most successful one in some cases. By just adding a closing tag like “> , the website can be XSSed. For example the classic script <script>alert(“xss”)</script> would be written as “><script>alert(“xss”)</script> .
The above mentioned methods are some of the available workarounds to bypass XSS barriers. Is your web application ready to face latest security threats? Contact us today for complete Web Application Penetration Testing Service
