Reflected XSS Bootcamp

Lab: Alert Function Filter Bypass

Difficulty: High

Lab Overview

This lab demonstrates a reflected XSS vulnerability with an advanced filter that blocks multiple HTML tags AND the 'alert' function.

Critical Update: The filter now blocks the 'alert' function in addition to HTML tags!
Advanced Filter: Blocks 12 case variations of 'script' plus 'img', 'svg', 'audio', 'video', 'body', and 'alert'
Blocked tags and functions:
script
Script
sCript
scRipt
scrIpt
scriPt
scripT
SCript
SCRipt
SCRIpt
SCRIPt
SCRIPT
img
svg
audio
video
body
alert
Filter method: str_replace(array('script','Script',...,'alert'), '', $_GET['lname'])
Filter Complexity: Advanced Function Filtering

Objective: Bypass the filter and execute a JavaScript alert, even though 'alert' is blocked.

Note: Only the Last Name field is filtered and displayed. The First Name field is unfiltered but not used in output.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','Script','sCript','scRipt',
                'scrIpt','scriPt','scripT','SCript',
                'SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'img','alert','svg','audio','video','body');
    $re = str_replace($arr, '', $_GET['lname']);
    echo $re;
}
Test Input Form
This field has no filters but is not displayed in output
This field has 18 filters including 'alert' function blocking
Function Filter Bypass Techniques
  • Alternative JavaScript functions: Use prompt(), confirm(), console.log() or create your own alert function
  • Window object methods: Try window.alert or accessing through different object paths
  • Encoding and obfuscation: Use HTML entities, URL encoding, or Unicode: alert
  • String concatenation: Build the function name dynamically: 'al'+'ert'
  • Alternative syntax: Use eval() or Function() constructors with encoded strings
  • Template literals: Use backticks and template syntax: `al${''}ert`
  • GlobalThis access: Use globalThis['al'+'ert'] or similar approaches
  • Character code conversion: Use String.fromCharCode() to build the function name
  • Alternative event handlers: Use handlers that don't require alert: onerror with image loading, etc.
  • DOM manipulation: Create elements and trigger events programmatically
Security Implications

Blocking specific JavaScript functions demonstrates:

  • Attackers can easily use alternative functions or obfuscation
  • Function name filtering is trivial to bypass with encoding
  • JavaScript is extremely flexible with multiple ways to execute code
  • Blacklisting function names creates a false sense of security
  • Proper output encoding is the only reliable defense
Proper Defense Strategies

For effective XSS prevention:

  • Use context-aware output encoding (HTML, JavaScript contexts)
  • Implement strict Content Security Policy (CSP) headers
  • Validate input using whitelists, not blacklists
  • Use proven sanitization libraries like DOMPurify
  • Never rely on function name filtering for security
  • Consider using Trusted Types for DOM XSS protection
JavaScript Function Alternatives

When 'alert' is blocked, consider these alternatives:

Built-in alternatives:
  • prompt(1) - Shows a prompt dialog
  • confirm(1) - Shows a confirmation dialog
  • console.log(1) - Logs to browser console
  • print() - Opens print dialog
Creative alternatives:
  • top['al'+'ert'](1) - String concatenation
  • window['al'+'ert'](1) - Bracket notation
  • eval('al'+'ert(1)') - Using eval
  • Function('al'+'ert(1)')() - Function constructor