[XSS] Reflected XSS Bypass Filter

Mohamed Sayed
Apr 22, 2019 · 2 min read

I would like to write about this but it takes some time to bypass the filter and some time to find the right HTML tag to write a payload.

I was testing on a program which is private let’s call it example.com I found a search field so I start to test it with my lovely value ‘“>< to know what will be blocked I found that the value added to a lot of places on the source code but almost all of them encoded with HTML-Encode but I found my value added on a tag called dfn without encoding so there is a hope to find an XSS so I added an XSS payload but It redirects me to block page because of these < > values not accepted after a few minutes I understand how the function works the function block the request if this < connected to anything like the word <svg or special char <! and if I write a complete HTML tag the filter will delete all of the tag I tried to bypass it using URL-Encoding but it doesn’t work so I tried double encode and it works to bypass it and I wrote a payload like that %253Csvg onload=alert0)%253E this payload added to the source code but there was a problem that the filter delete this = I tried a lot to bypass this but I couldn’t :( I told to my self what? after all of this time I couldn’t execute XSS payload

I asked my friends about payloads without this = and I asked Google but I didn’t found anything, the problem not here the problem is my mind was sleep and when he wakes up I got it

I forgot the king of XSS payloads <script>alert(0)</script> WOW I don’t know how I forgot it but this is our guy so I decoded it and try to execute but there is another problem is these two ( ) so I replaced it with `` and the payload executed I was WooooooooooW

I like this bug and I like you who completed the topic I hope it is helpful to you guys, thanks for reading this, goodbye.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Mohamed Sayed

Written by

My name is Mohamed my nickname is Flex, I’m a Bug Hunter at HackerOne and Synack Red Team Member.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Mohamed Sayed

Written by

My name is Mohamed my nickname is Flex, I’m a Bug Hunter at HackerOne and Synack Red Team Member.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store