Unveiling the Secrets of XSS Bypass: Harnessing JavaScript Symbols for Code Execution


I have been looking at Intigriti, yeswehack, HackerOne and Bugcrowd bounty platforms recently. It is really uncomfortable to bypass WAF. I will record the bypass scenario.

Preliminary testing

When I first tried XSS, I found that the user's input is displayed in the title. Generally speaking, it is to see if it can be closed. As the picture below shows, it is converted into an entity after entering angle brackets.

Bypass Html Entity Encoding

HTML entity encoding, which is the escape character in HTML.

In HTML, some characters are reserved. For example, the less than sign < and the greater than sign > cannot be used in HTML because the browser will mistake them for tags. If we want to display reserved characters correctly, we must use character entities in the HTML source code. A common character entity in HTML is a nonbreaking space. (Note: Entity names are case-sensitive!) Character entities are similar to this: &entity_name; or &#entity_number; If you need to display the less than sign, we must write like this: < or < Common entity encoding.

More entities can be found on the following website:

The Basic Latin alphabet, 128 symbols (◕‿◕) SYMBL

Continuing to try, we found that the title tag would close when we entered the html decimal entity number and escaped it.


I originally thought of <img/src=1 onerror=alert(1) /> and directly killed it, but ended up with a waf.

The next step is to fuzz the event as usual, and the results are all 403. At this time, there is no other way, so the image tag cannot be used.

Changing other tags, fuzz found that there are quite a few available.

Then use the tag to bypass

Commonly used payloads can be modified based on the following payloads

<a href="javascript:alert(1)"/>
It was going smoothly at first, but I posted it later and it was filtered. I really vomited. Just look at the picture.

Bypassing javascript, it’s here. Some people may think it’s over, but in fact it’s not that simple.

In fact, I didn’t spend much time in the front, mainly around the alert time. The various methods I tried here include html entity bypass, but basically, none of them worked.

Then I was stuck here for a long time. I also thought about using prompt and other functions instead of alert, but it just didn't work. Later I found that brackets and backticks cannot be followed.

At this time, I was thinking, is there any function that cannot use parentheses to pop up windows? I'm totally confused. I searched a lot and couldn't find any of them. They all require brackets. I can't get past the ones that don't require brackets and backticks after the alert.

Finally saw this on some Twitter user on random waf bypass tips finally completing the bypass

The Link:- https://aem1k.com/aurebesh.js/#%60alert%281%29%60

Local test payload

<a/href="javascript;{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a +e+s](e+s+v+h+n)(/infected/.source)" />click

<a href=ja
vascript:k='',a=!k+k,f=!a+k,g=k+{},kk=a[k++],ka=a[kf=k],kg =++kf+k,ak=g[kf+kg],a[ak+=g[k]+(a.f+g)[k]+f[kg]+kk+ka+a[kf]+ ak+kk+g[k]+ka][ak](f[k]+f[kf]+a[kg]+ka+kk+"(k)")()> 1111";//</title >