We keep encountering many types of unintended filters used by applications to present their input. One of them is to present all user input in CAPITAL letters. Even if there is no input validation done by the application, our normal XSS attack vector doesn’t work in this scenario.
Here is an example: Within scripts tags you would have given an inline alert(document.cookie);
Option 1: If VBscript is supported, then try out below. Since vbscript is case insensitive, it should not matter.
If the above two options don’t work, you can try out iframe or img src tags to inject your attack vector. There are some more ingenious tricks like shown in the below link but those are for rare cases. Hope this tip helped you.http://www.jsfuck.com/