I found that the characters; < and > are filtered (shown as: < and >), when I pen test for a website.
Is there any methods to bypass < and >?
Asked
Active
Viewed 3,557 times
1
Re Captcha
- 103
- 3
Flying
- 27
- 1
- 4
-
2Yes, there are methods. But they depend on where the input is, what filtering is in place, etc. I suggest that you browse [tag:xss] questions here, such as https://security.stackexchange.com/questions/35061/is-stripping-out-and-characters-an-effective-way-of-preventing-xss, https://security.stackexchange.com/questions/34088/is-there-a-way-to-bypass-djangos-xss-escaping-with-unicode, https://security.stackexchange.com/questions/23519/drupal-filters-xss-with-regexes-what-could-bypass-it, etc. Then, if you still need to, ask a specific question. – Gilles 'SO- stop being evil' Sep 01 '14 at 07:47
-
possible duplicate: https://security.stackexchange.com/questions/183755/bypassing-xss-filter – rubo77 Jun 03 '20 at 20:55
1 Answers
3
< and > are the correct ways to display the characters < and > in an HTML context.
(There are places where just escaping <>&" isn't enough—for example unquoted attribute values, or JavaScript nested inside HTML. Do you have that?)
You would usually use the term “bypass” when you know/suspect there is a vulnerability, but something else is getting in the way of exploiting it. For example, when an application fails to escape < properly to < but has a lame input filter than stops you typing <script; there are various possible ways to work around that kind of measure depending on how the code is structured.
But from what you have said there is no evidence that there is any vulnerability present at all. Displaying < from user input as < is exactly what you would expect from a properly-written HTML-generating application.
bobince
- 12,694
- 1
- 28
- 42