In general, you can break up strings to get around this.
The eval()
function can be used to turn strings into function names if a function is filtered.
It’s also possible (and safer, though if we’re breaking into things we probably care a lot less about safety) to use window[]
.
For really heavy filtering, use something nutso like JSFuck.
(Note that things like the JavaScript Obfuscator Tool won’t always remove functions and strings, as they tend to be geared more towards thwarting script analysis than bypassing filters.)
Sometimes filters are applied in a case-sensitive fashion. While JavaScript is case-sensitive, URL schemes, HTML tag names, and HTML tag attributes are case-insensitive (so, javascript:
is treated the same as javaSCRIPT:
, onclick
is treated the same as ONCLICK
, etc.).