2

How do I bypass a regex filter that filters all html to avoid xss? I've tried using things like <img src="aa" onerror="alert(1)"> but still no luck. This is for a CTF challenge btw.

The regex is: <[\s\S]*> and the validator is running on a TypeScript server

Improve this question

2 Answers 2

Reset to default
2

This filter doesn't reject unclosed tags, so you could inject:

<img src="x" onerror="alert(1)"

The tag will be closed as soon as the parser encounters a ">", which is obviously quite common in HTML contexts.

Improve this answer
0

https://owasp.org/www-community/xss-filter-evasion-cheatsheet has a section on alternative characters to <. Here is a summary:

  • %3C
  • &#60, &#060, &#0060, &#00060, &#000060, &#0000060

(and try with a ; on the end)

Also, variations on the same zero padding theme above bu with hex:

  • &#x3c, &#X3c, &#x3C, &#X3C

And:

  • \x3c, \x3C, \u003c, \u003C
Improve this answer
1
  • I've tried bypasses like this, but it still detects them. Commented Jun 11, 2021 at 15:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.