We covered a practical example demonstrating encoded cross site scripting vulnerability using character encoding & Brup Suite to solve Challenge 004 in OWASP Hackademic free lab.

The Challenge: Bypassing Encoded Alerts

The website in this particular challenge had implemented a security measure against XSS attacks. The key protection was that any string I typed inside an alert() box within a script would get encoded, preventing the expected pop-up from appearing

Initial Test and The Bypass Technique

My initial attempt with a simple XSS script like <script>alert('XSS')</script> confirmed the protection. The server’s response clearly showed that the content within the parentheses of the alert box was being encoded (for example, using UTF-8).

To circumvent this, the video introduced a clever JavaScript function: String.fromCharCode(). This function is incredibly useful because it can take numerical character codes and convert them back into their corresponding string characters.

Encoding the Payload and How it Works

The bypass technique involved two main steps:

  1. Converting the String to Numbers: I first converted the desired string (e.g., “XSS!”) into its numerical character codes. For instance, “XSS!” would become a sequence of numbers like 88, 83, 83, 33.
  2. Crafting the Script: These numbers were then used as arguments within the String.fromCharCode() function inside my alert script. The final script looked something like this:JavaScript<script>alert(String.fromCharCode(88, 83, 83, 33))</script>

The magic behind this is that the website’s protection mechanism might not recognize or encode the numerical inputs to String.fromCharCode(). When the browser executes this script, String.fromCharCode() performs its job, converting the numbers back into the original “XSS!” string, which then successfully triggers the alert box as intended.

Demonstration and Broader Application

The video clearly showed me inputting the crafted script with String.fromCharCode() and the numerical codes. After submitting it, the alert box successfully popped up, displaying “XSS.”

This technique isn’t limited to just “XSS.” I learned that it can be used for any string. For example, if I wanted to display the word “vulnerable,” I would simply convert “vulnerable” into its character codes and use those with String.fromCharCode(). This method is a powerful way to bypass certain types of XSS filters that rely on encoding specific string patterns.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles