4

I'm trying to bypass some XSS filtering. Every time I insert a single quote I get a backslash, so I wrote this payload:

 \';alert(1);\'

In the source code it looks like this:

<script>
a = '\';alert(1);\''
</script>

but I still can't get an alert box. What is wrong?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Xozu
  • 63
  • 1
  • 3
  • 9
  • 1
    You can just pass `alert(1);//` . Also, i think more detailis needed on how this input is being executed in code – Sravan Aug 18 '16 at 08:58
  • it dosn't work .. – Xozu Aug 18 '16 at 09:08
  • 1
    Whats the js output for that? – Sravan Aug 18 '16 at 09:14
  • i dont get anything i just dont get the alert box – Xozu Aug 18 '16 at 10:58
  • To be clear: you're saying that the generated script (inside the HTML script element) is the same whether your payload includes the backslashes or not, right? Also, I'm guessing not, but just in case: are you able to include an un-escaped `` in your payload? – CBHacking Dec 04 '19 at 22:29

3 Answers3

3

It is impossible to know for sure without seeing the code that the server runs, but we can make some educated guesses:

  • Looks like there is a template looking something like this:

    a = '{escape(input)}';

  • You say ' gets replaced by \'.

  • From your example, it seems that \' being unaffected is an exception to the above rule (probably to prevent the very attack you were trying). This is a bit surprising - the normal thing to do would be to replace the \ with \\, so you would get \\\'.
  • There might be multiple other defences built in that you just haven't noticed yet because you haven't managed to bypass the first.

It is important to understand the context you want to escape from. In this case it is a JavaScript string literal (or Rule #3 in the OWASP cheat sheet). To get out of it, you have two options:

  1. Switch to a general JavaScript context. I think this can only be done by getting an unescaped ' in there. If \' is always unaffected no matter context, try \\'. If you are lucky, nothing is done about the first backslash. While you are at it, try different numbers of backslashes, just in case.

  2. End the script block to get into an HTML context. Try something like this:

    </script><script> alert(1); </script><script>

    Most likely the < will be escaped to &lt;, but it is worth a try.

See also this related question.

Community
  • 1
Anders
  • 64,406
  • 24
  • 178
  • 215
3
  • First method :

To bypass this filter you need to comment the rest of your request at the end by adding //, However, in some XSS challenge they add '\' before '/' so you cannot bypass the filter using this method ("http://sudo.co.il/xss/level5-2.php?p=test") :

\';alert(1);//

To get the following :

<SCRIPT>var a="\\";alert(1);//";</SCRIPT>"

But sadly it didn't work for me and I got the following output :

<script>
a = '\\';alert(1);\/\/'
</script>
  • Second Method :

If the first method didn't work, you need to think about another solution that worked for me by adding the following to the link :

\';alert(1);<!--

Using the above code you can bypass the filter : 

<script>
a = '\\';alert(1);<!--'
</script>
Mhirsi Hamza
  • 41
  • 3
0

Bypass escaped double quote

Based on your description this should work:

\");alert("xss

The " will be escaped as \", thus resulting in \", which escapes the \, but not the ".

To prevent this, you would at the very least have to also escape \ as \.

Bypass escaped double quote and double backslash to single backslash

Based on your comment, I'm assuming the actual relevant parts of the filtering work like this:

" -> \"
\\ -> \

This isn't secure either. An injection might look like this:

\\");alert(1

" will be escaped as \" in step 1 which leads us to \\", which is then transformed to \" in step 2. You can't use double quotes in the injected string, but that's not a problem as XSS with single quotes or completely without quotes is perfectly possibly.

To secure this the double backslash would need to be escaped, not transformed to a single one, which would give us \\\\\" with the above described injection, which is safe.

Harshal Benake
  • 101
  • 4
  • i got you but still it's not working i inserted this payload:'\\'-alert(1)-\'' as you can see i closed the strings but still don't get any alert :( – Xozu Aug 18 '16 at 11:01