For those new to Cross-Site Scripting (XSS) attacks, it is essential to first understand the fundamental concepts before exploring filter bypass techniques.
Many web applications block the alert() function to mitigate XSS attacks. Below are alternative functions that can be used:
confirm()instead ofalert()prompt()instead ofalert()console.log()instead ofalert()eval()instead ofalert()
If the onerror event handler is blocked, the following alternatives can be used to trigger JavaScript execution:
onloadonfocusonmouseoveronbluronclickonscroll
These event handlers can be embedded within HTML elements to execute scripts when the event is triggered.
If parentheses () are filtered, backticks ` ` can be used as an alternative. Examples:
<script>alert`1`</script>
<img src=x onerror=alert`1`>
<img src=x onerror=prompt`1`>
javascript:prompt`1`
javascript:alert`1`This method is effective against weak input sanitization mechanisms that only block standard function calls enclosed in parentheses.
For further learning and reference, the following resources provide comprehensive details on XSS filter evasion techniques:
- PortSwigger XSS Cheat Sheet - Visit PortSwigger
- OWASP XSS Filter Evasion Cheat Sheet - Visit OWASP
For discussions and insights, you can connect with:
Enhanced and reformatted for HowToHunt repository by remonsec