How Hackers Can Easily Bypass XSS Filters In Web Applications

by 1337pwn Staff

The two principal techniques of evading Cross-site Scripting (XSS) vulnerabilities are XSS filtering and XSS escaping. Nevertheless, XSS filtering is inadvisable since it may normally be evaded utilizing ingenious tactics.

In this tutorial, we will illustrate some of the techniques that hackers may utilize in their malicious code to easily bypass the XSS filters in web applications.

How XSS Filtering Works

XSS filters operate by locating ordinary patterns that can be deployed as Cross-site Scripting attack vectors and getting rid of such code fragments from user input data.

Patterns are most frequently discovered utilizing regular expressions. This is extremely difficult because patterns that can denote a Cross-site Scripting payload can also be deployed legitimately, as a web page’s content. Hence, the filter ought to able to evade false positives.

Furthermore, contemporary web browsers like Firefox, Google Chrome, and Internet Explorer are extremely fault-tolerant in terms of malformed HTML code.

Moreover, JavaScript is extremely flexible and identical practicality can frequently be articulated in various ways. The hacker can take advantage of these circumstances by deliberately constructing code that evades common XSS search patterns.

Theoretically, it is feasible to construct a practically infallible XSS filter. Nonetheless, the filter’s intricacy may be immense, and the likelihood exists whereby a hacker could invent a new bypass method. Thus, escaping is considered the more straightforward advocated technique of preventing Cross-site Scripting attacks.

XSS Filter Bypass Techniques

Deploying Character Encoding

The subsequent Cross-site scripting vector deployed to overcome filters is predicated on encoding characters that can initiate a filter.

There are various encoding methods that hackers use, such as HTML entities and Base64. The encoding hinges on what precisely requires to be encoded. For instance, href tag URLs support URL encoding though tag names do not.

For instance, to trick filters that search for common ASCII patterns, the hacker could replace


Bear in mind that the actor could skip any or all semicolons.

Provided that the filter understands how to acknowledge encoding attempts, the actor could attempt to deceive it by deploying decimal encoding with padding and by skipping semicolons.

For instance, the following serves as the equivalent to alert:

Deceiving Regular Expressions

Occasionally, bypassing a filter demands no more than discovering a technique to deceive the regex.

For instance, the adversary could utilize fake tags with brackets, such as the subsequent:

In the event that the regexp is not written properly, it will presume that the script tag ends with the initial closing bracket.

Moreover, pay attention to how the file is called to imitate a JPG image and trick filters that search for particular file extensions.

Employing Atypical Event Handlers

Even though numerous XSS filters test for possible JavaScript in ordinary event handlers like onerror, onfocus, onclick, onmouseover, or onclick, there are various additional event handlers that the actor could attempt to employ. For instance, marquee-relevant event handlers like onfinish and onstart.

The most extensive list of handlers can be found online.

Utilizing Atypical Delimiters

There are various characters that can be deployed as delimiters in lieu of whitespaces. Contemporary web browsers will still execute the code correctly.

For instance, the adversary could deploy single quotes, double quotes, and backticks (Solely for a number of web browsers).

An example is:

Additionally, the hacker could attempt to employ extra angle brackets and slashes (Comments) to deceive filters.

For instance:

Contemporary web browsers are frequently very tolerant that they can even execute the subsequent code correctly:

Furthermore, keep in mind that the initial whitespace after the tag name can be replaced by even more delimiters. For instance, an actor could replace it with a single slash:

Case Manipulation & Character Insertion

In the event that the filter is case-sensitive, it can be tricked if the adversary deploys a different case than the one that is anticipated.

For instance, the hacker could deploy <sCrIpT>, <SCRIPT>, or <Script>.

Moreover, contemporary web browsers typically ignore newlines, extra spaces, tabs, and carriage returns that the actor inserts in the HTML tag.

For instance, a hacker could employ <script[\x09]>, <script[\x10]>, <script[\x13]>, or <script   >.

In addition, the hacker could try to insert a null byte wherever. For instance: <[\x00]script>.

Tags & Attributes

A number of filters concentrate solely on the common tags. Hence, the adversary may deploy uncommon tags to bypass them like <svg>.

Nevertheless, filters frequently forget to include apparent tags like <body onload=alert(document.cookie)>.

Intentional Blunders

Even though intentional blunders may assist hackers in bypassing numerous filters, web browsers will still comprehend the context.

This is particularly the case when the hacker utilizes quotes in the wrong spot, out of sequence, or simply forget to include relevant quotes.

Thus, an example is:

Therefore, the unclosed quote following value can deceive the filter though the code will still be executed since the majority of web browsers will consider the quote as closed and fix the code internally.

Additional intentional blunders employed to trick filters can involve including junk content following the tag name.

Several contemporary web browsers will totally disregard the included content. Consequently, the adversary could utilize <script/anything> in lieu of <script>.


As we can see, hackers can easily bypass Cross-site scripting filters in web applications. Filter evasion continues to develop and it shouldn’t come as a surprise that new techniques can emerge in the future when they are uncovered.

Numerous techniques may be deployed together to render evasion more efficient. For instance, an actor could employ meta tags like refresh together with Base64 encoding: