In researching a way to evade a filter which detects and blocks the XSS attempt in the presence of parentheses in a payload, I came to interesting solutions of this problem that will be shared in this post and its subsequent parts.
It’s worth to note that any encoding of the prohibited characters would not evade the filter.
The “location.hash.substr(1)” returns everything after the hash sign, which responds for the “location.hash.substr(0)”. The “location.hash” returns a string which is splitted by the “substr” method, hence the 0 and 1 parts.
But we are still using parentheses. So let’s work on it. In order to do that we will first bring the flagged strings back, but splitting them to avoid detection:
Result => javas + cript: + ale + rt + (1)
In order to avoid the quotes, we can use the “/string/.source” trick as follows:
Result => javas + script: + ale + rt + (1)
Nice. But we are still using parentheses.
So we need another trick: changing it a little bit, parentheses are avoided completely:
Result => javas + cript: + ale + rt + ( + 1 + )
Cool, we could stop here, right? Not if you are not allowed to use “[” and “]” as well.
So I had to face another problem. And that made me research a whole new set of payloads which will be explored in the next posts of the “Location Based Payloads”.
P.S.: Part II of this series is here.