Code Igniter XSS Filter Multiple Bypasses
Recently we released our "XSS Filter Evasion Cheat Sheet", i was quite surprised to hear the community feedback. The total downloads have surpassed a figure of 2500, which was quite amazing considering that i didn't expect it to escalate that quickly. Recently, i had a chance to test Code Igniter's XSS clean function, as it relied upon blacklist it caught my interest. I was pleased that almost all the payloads/techniques that were used to bypass the "XSSCLEAN" function have been already documented inside our "XSS Filter Evasion Cheat Sheet".
Vulnerability DetailsThe test-bed i used was setup by @soaj1664ashar based upon the rules of the "XSS Clean" function inside of code igniter.
I managed to find lots of bypasses, however couple of them collided with what @soaj1664ashar had already found before. Therefore, i thought to publish the ones that did not collide with his vectors.
protected function _js_link_removal($match)
//echo "in link removal";
$this->_filter_attributes(str_replace(array('<', '>'), '', $match))
<svg xmlns:xlink=http://www.w3.org/1999/xlink><a><circle r=100 /><animate attributeName=xlink:href values=;javas	cript:confirm(1) />
Bypass 3 - HREF
There are countless other variations thought.
More BypassesAshar javed found various bypasses for CodeIgniter, if you are interested in more bypasses, please refer the link below: