Bypass space restriction for XSS.

Hi readers, this articles talks about how I bypassed space restriction for Cross-Site Scripting (XSS) vulnerability. Since this is my first blog post, do bear with me if there’s any grammatical errors. Thank you.

As a Security Consultant, part of my daily routine requires me to conduct a pentest on web applications. While working on the web application, I came across a feature which allows me to upload files. Being the typical pentester, I decided to upload a web based shell. Upon successfully uploading a web based shell, I noticed that the web application forces me to download the uploaded web shells and there wasn’t any way that I could call the file and execute commands.

Since I failed to execute command, I decided to upload a file with XSS payload. So, I created a file using Kali Linux with the below command:

touch ‘”><img src=x onerror=alert(document.domain)>.xml’

Creating file with XSS payload.

This also can be done by using Burp Suite. Instead of creating a file, you could just upload any file then intercept the request to the server and change the filename to your XSS payload.

Upon selecting the file with XSS payload to be uploaded, the payload executed as shown in figure below.

Self Cross-Site Scripting.

But it was a self XSS so I clicked on “Ok” and the file has been uploaded. Upon uploading successfully, I noticed that my payload was removed and the web application replaced space with underscore (_) and used blacklist instead of whitelist, therefore, certain tag such as <script>, img and few others that had been blacklisted.

I created a simple web application that shows how the web application replaces the space to prevent the payload to be executed:

Space is replaced with underscore.

On second attempt, I changed my payload to HTML tag using Burp Suite repeater, and discover that I was able to insert <h1> without it being filtered.

HTML Injection
HTML Injection.

After several attempts, I asked my colleagues, Mr. Fikri Fadzil and Mr. Ramadhan Amizudin to take a look at the web application filtering method. Upon a quick google search, we found a payload that uses bullet Unicode (, to bypass space restriction. So, we used the below payload:


(If you’re planning to use the payload, please get it from the website)

After which we successfully bypass the space restriction:

Payload executed.
Infected JavaScript.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.