XSS Auditor bypass
Published: Tue, 10 Feb 2015 19:56:00 GMT
Updated: Sun, 23 Mar 2025 14:56:56 GMT
XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea of using an existing script block to smuggle my vector and reusing the closing script on the page. The page contains a script block like this:
<script>x = "MY INJECTION"</script>
As every XSS hacker knows you can use a "</script>" block to escape out of the script block and inject a HTML XSS vector. So I broke out of the script block and used the trailing quote to form my vector. Like so:
</script><script>alert(1)+"
You could of course use a standard ",alert(1)," but what if quotes are filtered? I then came up with the idea of using SVG and an HTML escaped quote. This bypasses the filter and is a HTML XSS vector that doesn't have a DOM vulnerability so it's within scope of the filter and is very common in my experience. Here is the final vector:
<script> x = "</script><svg><script>alert(1)+""; </script>