XSS via Typography – Bypass for Space and Slash Filters

Hallo Jagers! We are back with new way to defeat XSS Filters again. We have already seen popping an alert without HTML, using Angular JS payloads. Let’s see scenario based bypass which turns out to be new approach in xss filter bypassing methodology.

Typography:

It’s simply similar to Homography where we use Surеsh instead of Suresh to spoof the visible text to lure the victims. Instead spoofing here we simply make use of text written in a special manner to represent it’s behavior.

For example let’s understand why we use below characters in important documents.

  • U+2022 • bullet (HTML • · •) used to represent import list or simply to point out the possible cases in any document.
  • U+2020 † dagger (HTML † · †) This generally we see in mathematics or physics to denote the Hermitian adjoint of an operator; for example, A† denotes the adjoint of A
  • The currency sign (¤) is a character used to denote an unspecified currency.
  • A very simple Tab key also used to maintain the document in a specified manner.
  • We use page breaks to maintain document alignments.

I hope you got an idea about why and where we use these special unicode/ascii symbols.

XSS Filters:

I’m not saying about every filter bypass here. But there is a situation where you came across a context of reflection where developer is blocking space and slash addition in the payload.

<span>nice</span>

In the above context we generally throw payload like <script>confirm(1)</script>

Now what if developer blocked ScrIpt ScrsCriptipt script SCRIPT combo can we pop an alert..?? absolutely yes. We can simply use other html tags such as image source or iframe src etc.

What if again developer (he’s so lazy man) blocked spaces and slashes is there any other way to pop the alert again. Why not, we can use hardware characters(bad characters) such as %00, %09, %90, %0a, %0d, %0c, %etc you can think of other payloads.

Finally he made a patch (thinks he fixed it) like blocklisting of % character. Now tell me how we can bypass it ??

Yes We Can Bypass it

I hope now you understand the scenario where we are. In this case we can make use of Typography to bypass this restriction.

Bypass with Page/Section Break

To do that open a word document. Click on Page Layout > Breaks > Section Break

Now to see that enable Show/Hide marks button

After enabling you can see below symbol. Simply copy it and paste it in Notepad ++ (where we can see it again)

In Notepad++ you can see an orange dot after svg which can provide space for us.

After loading this payload in our favorite browsers we can see the alert popped.

Also after browser processing this HTML we can see a space which is created by page/section break. (Chrome)

In Firefox and Edge browsers it’s interpreted as different unprintable character still we can see the pop up.

Bypass with Tab

In the same way we can simply copy the tab symbol to notepad and we can make use of it to bypass the filtering mechanism. It’s also works like nested spacing as tabulator contains multiple spacing.

While browser interpretation we can see more space after svg tag.


You can explore other characters in same manner. Let me know if you know other vectors which can bypass this scenario in comment section. I love to learn more vectors.

Learn : Hack : Have Fun 🙂

References:

MrR3boot

An Active Bug Hunter and Exploit Researcher. Reported several bugs to top tech giants like Microsoft, Google, Intel, Us.Dept of Defense etc. PHP Lover. Blogger. Other than hacking he loves Travelling, Exploring the world. Git-Ref: https://github.com/MrR3boot/

More Posts - Website

Follow Me:
TwitterFacebookLinkedIn

One Comment

  1. I luv the way Mr R3boot is doing hunting i learned a lot from this blog.Thanks and waiting for more and more POC.

Leave A Comment

Your email address will not be published. Required fields are marked *