fudf
Reputation: 119
Bypassing XSS escape filter
How I can bypass XSS filter if it escape this symbols: &, <, >, \, '?
Upvotes: 0
Views: 2485
Answers (1)
Gil Cohen
Reputation: 846
It depends on where the injection goes. Here is an example of XSS without the forbidden characters:
Let's say a page receives a picture file name and displays it, and does not encode the quote character:
https://contoso.com/displaypic?source=111.jpg
<img src="111.jpg"></img>
If you access this URL, you have yourself XSS:
https://contoso.com/displaypic?source=a"+onerror="alert(111)
<img src="a" onerror="alert(111)"></img>
Upvotes: 1
Related Questions
- Bypass HTML Encoding/Escaping for XSS
- How to bypass below script
- XSS without HTML tags
- DOM XSS and Javascript Escaping
- Bypass URL encoding(client side) to perform XSS
- XSS filter to remove all scripts
- html escaping, and how I may get owned
- Can you still XSS against this filter?
- XSS in IE - Way to bypass?
- Avoiding XSS vulnerabilities - whitelist?