XSS filter evasion through invalid escapes

Most of the time, XSS filters look for specific keywords to detect invocation of dangerous functions or variables. A very common bypass technique is to break these specific character sequences like this:

window['ale'+'rt'](1)
window['alexrt'.replace(/x/,'')](1)

Several years ago I found a nice feature in javascript that allows the attacker to break character sequences in a very easy, quick, straight-forward way. It consists of escaping characters that do not have an escape sequence assigned. For instance, this are valid escapes in javascript:

\' Simple quote
\" Double doble
\ Backslash
\n New line
\r Carriage return
\v Vertical tab
\t Tab
\b Backspace
\f Page forward

Those characters will be escaped to their corresponding values if you add a backslash before them.

If you use a backslash before any other character javascript will simply ignore the backslashes, so the string will be broken while still preserving its meaning:

window['\a\l\ert'](1)
window['\pr\o\m\pt'](1)

I hope this will help to do your hacking simpler and faster.

8 thoughts on “XSS filter evasion through invalid escapes”
  1. Pingback: Bypasses for the most popular WAFs - Project NZT-48
  2. free printable monthly to do list January says:
    2023-09-18 at 01:51

    Incredible points. Sound arguments. Keep up the good effort.

    my website ... free printable monthly to do list January

    Reply
  3. czerwiec 2024 says:
    2023-09-29 at 17:55

    Hey There. I found your blog using msn. This is a really well written article.
    I'll make sure to bookmark it and come back to read more of your useful information. Thanks for the post.
    I will certainly comeback.

    my blog :: czerwiec 2024

    Reply
  4. https://wwd.com/business-news/business-features/how-to-get-more-instagram-followers-1235787837 says:
    2023-10-23 at 14:52

    Heya! I just wanted to ask if you ever have any trouble with hackers?
    My last blog (wordpress) was hacked and I ended up losing a few months of hard
    work due to no backup. Do you have any methods to stop hackers?

    Reply
  5. Kalendarz styczeń 2024 says:
    2023-11-18 at 17:35

    Very good article! We will be linking to this particularly great content on our website.
    Keep up the good writing.

    My web blog :: Kalendarz styczeń 2024

    Reply
  6. gold ira says:
    2023-11-28 at 03:52

    Usually I don't learn article on blogs, however I wish to say that
    this write-up very compelled me to check out and do so!
    Your writing taste has been surprised me. Thank you,
    very nice post.

    Reply
  7. gold ira companies says:
    2023-12-18 at 20:33

    What i don't realize is if truth be told how you're not really a lot more neatly-preferred than you may be right now.
    You are very intelligent. You realize therefore significantly with regards to this
    topic, made me personally imagine it from so many varied angles.
    Its like men and women are not interested except it is one thing to do with Woman gaga!
    Your own stuffs excellent. All the time deal with it up!

    Reply
  8. how to check tiktok fake followers says:
    2024-03-02 at 05:11

    Hi there, just became aware of your blog through Google,
    and found that it's truly informative. I am going to watch
    out for brussels. I'll be grateful if you continue this in future.
    A lot of people will be benefited from your writing. Cheers!

    Reply
Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Hacking,Web Application Security,XSS - @ 2023-07-28 18:11

Tags: , , , , ,