Join us on Slack!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Sunday, October 20, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 55
Guests Online: 53
Members Online: 2

Registered Members: 119123
Newest Member: judemoses
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

Alternative Ways to get past Entity Blocking (XSS)

RuneArt
Member

Your avatar

Posts: 1
Location:
Joined: 02.06.19
Rank:
Newbie
Posted on 02-06-19 14:37
Many websites simply remove HTML entities from your search.

For example this websites does:

Adds a / before " or '

This would mean if you typed alert("hey"Wink it would get changed to alert(/"hey/"Wink

How could one get past this?

(Encoding the HTML Entities does not work
)
Author

RE: Alternative Ways to get past Entity Blocking (XSS)

Futility
Member

Your avatar

Posts: 757
Location: USA
Joined: 17.12.07
Rank:
God
Posted on 05-06-19 14:07
It looks like what you're dealing with (at least from an outward perspective, who knows exactly how it's being implemented), is a call to the PHP function addslashes(). I would suggest reading up on bypasses for that particular call, as there are many generic XSS payloads that can do it.

Now to be clear, that's just from a preliminary look at a single set of outputs. Generally speaking, one would have to observe a much larger number of requests/responses to get a feel for what the filter is actually doing before making a guess with any strong merit. There are rarely one-size-fits-all payloads in the modern age of injection, so copy/pasting from random sites is unlikely to yield any strong results.
Futility91@hotmail.com Futility91
Author

RE: Alternative Ways to get past Entity Blocking (XSS)

Huitzilopochtli
Member



Posts: 1622
Location:
Joined: 19.02.13
Rank:
God
Posted on 05-06-19 23:48
You're always better off using numbers when you're looking for XSS vulnerabilities, as they don't need to be wrapped in single or doubleĀ  quotes, so you wouldn't accidently trip any filters that were intended to prevent sql injection.

You said encoding HTML Entities doesn't work, have you tried double encoding it, or even using backticks?

If it's sent via POST check to see if it can also be sent as a GETĀ  as the filters are often different for data sent via the url.

Failing that, you should make a list of any special chars that do pass the filters, then you'll know what you have to work with.


.
Author

RE: Alternative Ways to get past Entity Blocking (XSS)

gobzi
Member



Posts: 118
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 18-06-19 12:55
http://www.jsfuck. . .


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr

Edited by gobzi on 18-06-19 12:55
goo.gl/8st1AR