Uh oh. Looks like your using an ad blocker.
Our site is support by ads that help to pay our hosting costs. Please disable or whitelist us within your ad blocker to help us keep the site online.
All money generate by ads and donations is used to pay the hosting costs of the site.
|Many websites simply remove HTML entities from your search. |
For example this websites does:
Adds a / before " or '
This would mean if you typed alert("hey" it would get changed to alert(/"hey/"
How could one get past this?
(Encoding the HTML Entities does not work)
|It looks like what you're dealing with (at least from an outward perspective, who knows exactly how it's being implemented), is a call to the PHP function addslashes(). I would suggest reading up on bypasses for that particular call, as there are many generic XSS payloads that can do it.|
Now to be clear, that's just from a preliminary look at a single set of outputs. Generally speaking, one would have to observe a much larger number of requests/responses to get a feel for what the filter is actually doing before making a guess with any strong merit. There are rarely one-size-fits-all payloads in the modern age of injection, so copy/pasting from random sites is unlikely to yield any strong results.
|You're always better off using numbers when you're looking for XSS vulnerabilities, as they don't need to be wrapped in single or double quotes, so you wouldn't accidently trip any filters that were intended to prevent sql injection.|
You said encoding HTML Entities doesn't work, have you tried double encoding it, or even using backticks?
If it's sent via POST check to see if it can also be sent as a GET as the filters are often different for data sent via the url.
Failing that, you should make a list of any special chars that do pass the filters, then you'll know what you have to work with.
Rank: HBH Guru
|http://www.jsfuck. . .|
Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr
Edited by gobzi on 18-06-19 12:55