Sometimes a server will escape special characters that are injected: For instance, injecting a
" character and having it reflect as
Sometimes, ironically enough, you can outsmart filters by using their own tricks against them. Try escaping their escape character like this:
However, if the server escapes your injected
\\, this technique will not work:
If you’re able to break out by escaping their escape, you’ll need to blend back in with something other than a
", because the escaping process breaks the syntax:
alert(1) is not valid syntax and will cause an error.
Commenting out the rest is your best bet, unless they escape your
\/\/. When this happens, I don’t think there’s much you can do.
Escaping escapes reminds me of the classic movie moment, when a bad guy gets the drop on a good guy, but then another good guy gets the drop on the bad guy. It always cracks me up when this evasion technique works.