Skipping the XSS Filtration : Innovative XSS Guides for Web program Pen Testing



Sometimes, webmaster use XSS filters(WAF) to prevent XSS weeknesses.
For eg: if you put the <scirpt>alert("hi")</script> , the Narrow will evade the "(quote) personality , so the program will become
<script>alert(>xss detected<)</script>
Now this program won't perform. Furthermore Filtration use different kind of filtration technique to provide security against the XSS.  In this situation, we can use some techniques to avoid the narrow.  Here i am going to protect that only. 

1.Bypassing magic_quotes_gpc

The magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it goes out the every ' (single-quote), " (double quote) and \  with a backslash instantly.
For Eg:
<scirpt>alert("hi");</script> will be strained as <script>alert(\hi\)</script>.so the program won't perform now. 

This is well known filtration technique, but you can avoid this narrow by using ASCII figures instead.
For Eg:  alert("hi"); can be transformed to
String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)
so the program will become <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>.  In this situation there is no "(quotes) or '(single quotes) or / so the narrow can't narrow this factor.  Yes, it will efficiently run the program.
String.fromCharCode() is a javascript operate that transforms ASCII value to Figures.

How to convert to ASCII values?
There are some websites that transforms to ASCII personality. But i recommend you to use Hackbar Mozilla add-on .

After setting up hackbar add on ,press F9.  It will start the little box above the url bar. simply select the XSS->String.fromCharCode()

Now it will pop-up small screen. get into the value for example alert("Hi").  simply click ok key.  Now we got the outcome.

duplicate the value into the <script></script> within and place in the insecure sites

For eg: 
hxxp://vulnerable-site/search?q=<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>

2.HEX Encoding

we can scribe our whole program into HEX value so that it can't be strained. 
For example:  <script>alert("Hi");</script> can be turn to HEX as:
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
Now put the value in the insecure website demand.
For ex: 
hxxp://vulnerable-site/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
 Transforming to HEX:
This website will turn to hex code: http://centricle.com/tools/ascii-hex/ 

3.Bypassing using Obfuscation

Some web page administration put the program,alert in limited term record.  so whenever you feedback this look for phrases, the narrow will eliminate it and will provide mistake concept like "you are prohibited to look for this". This can side stepped by modifying the situation of the keywords(namely Obfuscation).  
For eg:
<ScRipt>ALeRt("hi");</sCRipT>

This avoid strategy hardly ever works but providing test is worth. 

4. Ending Tag

Sometimes placing "> at the starting of the value will work. 

"><script>alert("Hi");</script>

This will end the past started out tag and start our program tag.
Example:
hxxp://vulnerable-site/search?q="><script>alert("Hi");</script>
Conclusion:
From above content, it is obvious that XSS filtration alone not going to protected a website from the XSS strikes. If you really want to create your website more protected, then ask PenTesters to analyze your program or analyze yourself.

Also there are lot of different narrow skipping strategy, i just protected some useful methods for you
.