KrazePlanetLabs - XSS Multi-Function Filter Bypass Lab

Difficulty: Expert

Lab Overview

This lab demonstrates a reflected XSS vulnerability with an advanced filter that blocks multiple HTML tags AND the 'alert' and 'confirm' functions.

Enhanced Filter: The filter now blocks both 'alert' and 'confirm' functions, closing two common XSS demonstration vectors!

Multi-Function Filter: Blocks 12 case variations of 'script' plus 'img', 'image', 'svg', 'video', 'body', 'alert', and 'confirm'

Blocked tags and functions:

Filter method: str_replace(array('script','Script',...,'alert','confirm'), '', $_GET['lname'])

Filter Complexity: Expert-Level Multi-Function Filtering

Objective: Bypass the filter and execute JavaScript code, even though 'alert' and 'confirm' are blocked.

Note: Only the Last Name field is filtered and displayed. The First Name field is unfiltered but not used in output.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','Script','sCript','scRipt',
                'scrIpt','scriPt','scripT','SCript',
                'SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'img','image','svg','alert','confirm','video','body');
    $re = str_replace($arr, '', $_GET['lname']);
    echo $re;
}

Test Input Form

Advanced Function Bypass Techniques

Remaining JavaScript functions: Use prompt(), console.log(), print(), or create custom functions
Window object manipulation: Access functions through different paths: window.alert, top.alert, self.alert, parent.alert
Advanced encoding: Use multiple encoding layers: HTML entities, URL encoding, Unicode: alert, confirm
Dynamic function construction: Build function names with string operations: 'al'+'ert', ['al','ert'].join('')
Function constructors: Use eval(), Function(), or setTimeout() with encoded strings
Template literals and interpolation: `al${''}ert`, `c${''}onfirm`
Global object access: globalThis['al'+'ert'], this['al'+'ert']
Character code conversion: String.fromCharCode(97,108,101,114,116) for 'alert'
Alternative syntax patterns: Use different calling patterns: window['al'+'ert'].call(null,1)
DOM-based alternatives: Create elements, modify attributes, or trigger events that cause visible effects
Error-based execution: Cause JavaScript errors that reveal execution or use error handlers
Property access variations: Use bracket notation, dot notation, or reflection patterns

Security Analysis

Blocking multiple JavaScript functions demonstrates:

Function name blacklisting is fundamentally flawed
JavaScript provides countless ways to execute code
Encoding and obfuscation easily defeat keyword filters
Attackers can use alternative functions or create their own
Context-aware output encoding remains the only reliable defense
Maintaining comprehensive function blacklists is impractical

Proper Defense Strategies

For enterprise-grade XSS prevention:

Implement strict Content Security Policy (CSP) headers
Use context-aware output encoding libraries
Validate input using whitelists, not blacklists
Use modern sanitization libraries like DOMPurify
Implement Trusted Types for DOM manipulation
Conduct regular security testing and code reviews
Use security headers: X-XSS-Protection, X-Content-Type-Options

JavaScript Function Bypass Examples

Encoding Examples:

alert(1) - HTML entities
al%65rt(1) - URL encoding
al\u0065rt(1) - Unicode escape
al\x65rt(1) - Hex escape

Dynamic Construction:

eval('al'+'ert(1)')
Function('al'+'ert(1)')()
setTimeout('al'+'ert(1)')
window['al'+'ert'](1)

Alternative Functions:

prompt(1) - Input dialog
console.log(1) - Browser console
print() - Print dialog
open() - New window
location='javascript:alert(1)' - Navigation

Reflected XSS Bootcamp

Lab Overview

Encoding Examples:

Dynamic Construction:

Alternative Functions: