For those new to Cross-Site Scripting (XSS) attacks, it is essential to first understand the fundamental concepts before exploring filter bypass techniques.
alert()Many web applications block the alert() function to mitigate XSS attacks. Below are alternative functions that can be used:
confirm() instead of alert()
prompt() instead of alert()
console.log() instead of alert()
eval() instead of alert()
onerror Event HandlerIf the onerror event handler is blocked, the following alternatives can be used to trigger JavaScript execution:
onload
onfocus
onmouseover
onblur
onclick
onscroll
These event handlers can be embedded within HTML elements to execute scripts when the event is triggered.
If parentheses () are filtered, backticks ` ` can be used as an alternative. Examples:
This method is effective against weak input sanitization mechanisms that only block standard function calls enclosed in parentheses.
For further learning and reference, the following resources provide comprehensive details on XSS filter evasion techniques:
PortSwigger XSS Cheat Sheet - Visit PortSwigger
OWASP XSS Filter Evasion Cheat Sheet - Visit OWASP
For discussions and insights, you can connect with:
Enhanced and reformatted for HowToHunt repository by remonsec
Last updated
Was this helpful?
Was this helpful?
<script>alert`1`</script>
<img src=x onerror=alert`1`>
<img src=x onerror=prompt`1`>
javascript:prompt`1`
javascript:alert`1`