Code Igniter XSS Filter Multiple Bypasses


Recently we released our "XSS Filter Evasion Cheat Sheet", i was quite surprised to hear the community feedback. The total downloads have surpassed a figure of 2500, which was quite amazing considering that i didn't expect it to escalate that quickly.  Recently, i had a chance to test Code Igniter's XSS clean function, as it relied upon blacklist it caught my interest. I was pleased that almost all the payloads/techniques that were used to bypass the "XSSCLEAN" function have been already documented inside our "XSS Filter Evasion Cheat Sheet".

Vulnerability Details

The test-bed i used was setup by @soaj1664ashar based upon the rules of the "XSS Clean" function inside of code igniter.

http://xssplayground.net23.net/clean11.html

I managed to find lots of bypasses, however couple of them collided with what @soaj1664ashar had already found before. Therefore, i thought to publish the ones that did not collide with his vectors.

Bypass 1 - Null Bytes

Internet explorer up to version 9, ignores null bytes every where. The XSSClean function was filtering for keywords like