> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/xss/trick-0397.md).

# XSS Via Charset Substitution Bypass

***

Bypass server-side string escaping (like `addslashes`) by forcing a specific charset interpretation on the client side. When the server doesn't explicitly specify the charset in the `Content-Type` header, an attacker can sometimes send an escape sequence in the request that hints the browser to interpret the response using a different encoding, such as JIS X 0201. In the absence of a charset declaration, browsers will try to guess the encoding, and an attacker can influence this guess by including an escape sequence in the request, such as `%1b%28J` for JIS X 0201 or `%1b%28C` for Shift-JIS.

For example, sending `%1B(J` (the escape sequence for JIS X 0201) can cause the client to map the backslash character (`\`, ASCII 0x5C) to the Yen symbol (`¥`) when interpreting the response. If the server used `addslashes` to escape a quote like `\'` or `\"`, the client will interpret this as `¥'` or `¥"`, failing to escape the quote and allowing script execution.

Consider vulnerable code that uses `addslashes` on user input without specifying the output encoding:

```php
<?php
    $name = $_GET['name'];
    $name = addslashes($name);
?>
```

An example payload structure targeting this vulnerability using the JIS X 0201 escape sequence:

```
http://localhost/PHP/XSS/gallipoli/test/test.php?search=%1B(Jabra_kadabra&lang=en%22;alert(document.title)//
```

Or, targeting the vulnerable PHP example:

```
http://localhost/php-addslashes-charset/vulnerable.php?name=%1b%28J%27%3balert%281%29%3b%2f%2f
```

A related technique to bypass `addslashes` involves using multibyte character sets like GBK, BIG5, or SJIS. This is about addslashes bypass using these encodings. For example, in GBK, `0xbf27` is a valid character. The `addslashes` function escapes `0x27` (single quote) to `0x5c27` (`\'`). However, if the response is interpreted using the GBK encoding, the byte sequence `0xbf5c27` will be parsed. In GBK, `0xbf5c` is a valid two-byte character (representing '¿'), meaning the backslash `0x5c` is consumed as part of the preceding multibyte character (`0xbf`), leaving the quote `0x27` unescaped. The byte sequence `0xbf27` represents the character '¿''. After `addslashes`, `0xbf27` becomes `0xbf5c27`, where `0xbf5c` is a valid character in GBK, and `0x27` is left alone. This can be exploited with tools utilizing character set options.
