The Art of the Evasion: Advanced XSS Bypass Techniques You Need to Master

By /

Listen to this Post

Featured Image

Introduction:

Cross-Site Scripting (XSS) remains a pervasive threat in web applications, allowing attackers to inject malicious scripts into content viewed by other users. As bug bounty programs evolve and security controls tighten, the ability to craft sophisticated bypasses becomes a critical skill for both penetration testers and defenders. This article delves into advanced techniques that challenge even the most robust input filters and Web Application Firewalls (WAFs).

Learning Objectives:

  • Understand the mechanics of modern filter evasion for XSS payloads.
  • Learn to manipulate character encoding and event handlers to bypass blacklists.
  • Develop a methodology for testing and exploiting XSS vulnerabilities in hardened environments.

You Should Know:

1. Bypassing Basic Tag Blacklists

Most defenses start by blacklisting common tags like <script>, <img>, and <iframe>. The key to evasion is using obscure or alternative tags that can still execute JavaScript.


<

svg onload=alert<code>XSS</code>>
<details open ontoggle=alert(1)>
<video>

<source onerror=prompt(1)>

Step-by-Step Guide:

This technique leverages SVG (Scalable Vector Graphics) tags or HTML5 elements that support event handlers like `onload` or ontoggle. The `onload` event in an `` tag fires when the element is loaded, executing the JavaScript. The `details` tag, when used with the `open` attribute and the `ontoggle` event, triggers the script when the element’s state changes. To use this, identify an injection point where user input is reflected in the HTML body without adequate encoding and test these alternative tags.

2. JavaScript Event Handler Obfuscation

When specific event handlers like `onmouseover` or `onerror` are blocked, obfuscating the handler’s name can break the filter’s logic.

<img src=x onerror=alert(1)> <!-- Standard -->
<img src=x oneerror=alert(1)> <!-- Typo-based bypass -->
<a href=javascript:alert`document.domain`>click</a>

Step-by-Step Guide:

This method relies on creating typos or using the `javascript:` protocol within href attributes. The first payload uses a common `img` tag with a broken source to trigger the `onerror` event. If `onerror` is filtered, a slight misspelling like `oneerror` might slip through. The second payload uses an anchor tag with the `javascript:` protocol, which executes the code when clicked. Test this in contexts where you can control an attribute that accepts a URL.

3. Encoding and Case Variation Attacks

Altering the case of tags or encoding characters can disrupt naive parsing and filtering mechanisms.

<ScRiPt>alert(1)</sCriPt>
<img src=x onerror="alert(1)"> <!-- Double URL Encoding: onerror -> %256f%256e%2565%2572%2572%256f%2572 -->

Step-by-Step Guide:

Mixed-case tags like `