Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) KrazePlanetLabs - Project & User-Agent XSS Lab

Project & User-Agent XSS Lab

Discover vulnerabilities in project parameter and User-Agent header

Dual Vulnerability Challenge

Lab Overview

This lab contains two different XSS vulnerabilities - one in the project parameter with incomplete filtering, and another in the HTTP_USER_AGENT header with no filtering at all.

Visible Challenge: Basic HTML encoding using htmlspecialchars() for both first name and last name parameters.
Vulnerable Parameters: There are multiple vulnerable inputs that can be exploited.
project HTTP_USER_AGENT
Project Parameter Filter: String replacement that blocks specific tags but has limited coverage
Blocked strings:
script Script sCript scRipt scrIpt scriPt scripT SCript SCRipt SCRIpt SCRIPt img image svg audio video body
Filter method: str_replace($arr, '/\/', $_GET['project'])
User-Agent Header: No filtering applied - directly outputs the User-Agent header value
Vulnerability: echo $_SERVER['HTTP_USER_AGENT']; - completely unfiltered!
Filter Complexity: Limited Blocklist Filtering

Objective: Exploit both the project parameter filter bypass and the unfiltered User-Agent header to execute XSS.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["project"])){
    $arr = array('script','Script','sCript','scRipt','scrIpt','scriPt','scripT',
    'SCript','SCRipt','SCRIpt','SCRIPt','img','image','svg','audio','video','body');
    $re = str_replace($arr, '/\/', $_GET['project']);
    echo $re;
}
echo $_SERVER['HTTP_USER_AGENT'];
Test Input Forms
Challenge 1: HTML Encoding (Visible)
This field uses htmlspecialchars() encoding
This field uses htmlspecialchars() encoding
Challenge 2: Project Parameter
Hint: The project parameter uses incomplete filtering. Try alternative HTML tags and attributes.
This parameter uses limited filtering with string replacement
Challenge 3: User-Agent Header
Hint: The User-Agent header is completely unfiltered. You need to modify your browser's User-Agent header to test this vulnerability.
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
To test this vulnerability, you need to modify your browser's User-Agent header using developer tools or browser extensions.
Challenge 3 Output (User-Agent Header - Unfiltered)
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
User-Agent header is completely unfiltered - major vulnerability!
Exploitation Techniques
Project Parameter Bypass:
  • Alternative tags: Use <iframe>, <object>, <embed>
  • Event handlers: Use onload, onerror, onclick
  • Uncommon tags: Try <marquee>, <applet>, <isindex>
  • Case variations: Try <SCRIPT> (all uppercase) or mixed case not in filter
  • Alternative attributes: Use src, href, data attributes
User-Agent Header Testing:
  • Browser Dev Tools: Use Network conditions in Chrome/Firefox dev tools
  • Browser Extensions: Use User-Agent switcher extensions
  • cURL: curl -H "User-Agent: PAYLOAD" URL
  • Burp Suite: Intercept request and modify User-Agent header
  • Python requests: requests.get(url, headers={'User-Agent': 'PAYLOAD'})
Security Implications

This lab demonstrates:

  • Incomplete filtering creates security vulnerabilities
  • Headers can be attack vectors for XSS
  • Limited blocklists are easily bypassed
  • Multiple input sources need security validation
  • User-controlled headers should be treated as untrusted input
  • Different attack vectors require comprehensive testing
Best Practices

For secure web applications:

  • Validate and sanitize all user inputs, including headers
  • Use context-aware output encoding
  • Implement Content Security Policy (CSP) headers
  • Treat all HTTP headers as untrusted input
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
  • Conduct comprehensive security testing of all input vectors
Payload Examples
Project Parameter Payloads:
  • <iframe src="javascript:alert(1)">
  • <object data="javascript:alert(1)">
  • <embed src="javascript:alert(1)">
  • <marquee onstart=alert(1)>
  • <details ontoggle=alert(1) open>
  • <select onfocus=alert(1) autofocus>
User-Agent Payloads:
  • <script>alert(1)</script>
  • "><script>alert(1)</script>
  • '><img src=x onerror=alert(1)>
  • <svg onload=alert(1)>
  • javascript:alert(1)
  • <body onload=alert(1)>
Testing Tools & Methods
For Project Parameter:
  • Manual testing: Direct form submission
  • Burp Suite: Intercept and modify GET parameter
  • Browser console: Modify form values dynamically
  • cURL: curl "http://site.com?project=PAYLOAD"
For User-Agent Header:
  • Chrome DevTools: Network conditions tab
  • Firefox DevTools: Network request blocking
  • Browser extensions: User-Agent switchers
  • cURL: curl -H "User-Agent: PAYLOAD" URL
  • Python: Use requests library with custom headers