KrazePlanetLabs - Advanced Blacklist Filter XSS Lab

Advanced Blacklist Challenge

Lab Overview

This lab demonstrates a more sophisticated blacklist filtering approach that attempts to block case variations of dangerous keywords. The 'search' parameter filters out multiple case variations of 'script', 'img', 'image', 'svg', and 'onfocus'.

Advanced Blacklist Filtering: The search parameter uses str_replace() to remove multiple case variations of dangerous keywords, making it harder to bypass with simple case changes.

Hidden Parameters: There are hidden parameters not shown in the main form. Use tools like Arjun to discover them!

# use arjun tool to find hidden parameters

Parameter Security Levels:

Secure fname, lname - Uses htmlspecialchars()

Secure id - Uses htmlspecialchars()

Advanced Filter search - Uses case-variation blacklist

Improved Security Multiple case variations are filtered

Context Output context affects exploitability

Blacklist Filter Details:

The search parameter filters these keywords:

script Script sCript scRipt scrIpt scriPt scripT SCript SCRipt SCRIpt SCRIPt SCRIPT img image svg onfocus

Secure Parameters (fname, lname, id):

Input: <script>alert(1)</script>

Output: <script>alert(1)</script>

Blacklist Filtered (search):

Input: <script>alert(1)</script>

Output: <>alert(1)</>

Case Variation Attempt:

Input: <ScRiPt>alert(1)</ScRiPt>

Output: <>alert(1)</>

The advanced blacklist filter removes multiple case variations of dangerous keywords, making it harder to bypass with simple case changes.

Overall Security Level: Medium-High Security

Objective: Discover the hidden parameters and find ways to bypass the advanced blacklist filtering to execute XSS payloads.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["id"])){
    echo htmlspecialchars($_GET["id"], ENT_QUOTES);
}
elseif(isset($_GET["search"])){
  $arr = array('script','Script','sCript','scRipt','scrIpt','scriPt','scripT',
               'SCript','SCRipt','SCRIpt','SCRIPt','SCRIPT','script',
               'img','image','svg','onfocus');
  $re = str_replace($arr, '', $_GET['search']);
  echo $re;
}

Test Input Forms

Visible Parameters (HTML Encoded)

Hidden Parameters

Hint: The 'id' and 'search' parameters are not shown in the main form. The 'search' parameter uses advanced blacklist filtering.

XSS Bypass Techniques for Advanced Blacklist Filters

Alternative Tags/Events (Not Filtered):

<iframe src=javascript:alert(1)>
<body onload=alert(1)>
<marquee onstart=alert(1)></marquee>
<object data=javascript:alert(1)>
<embed src=javascript:alert(1)>

Encoding Bypass Techniques:

<script>alert(1)</script> (HTML entities)
<%73cript>alert(1)</%73cript> (URL encoding)
<scr\x00ipt>alert(1)</scr\x00ipt> (Null bytes)
<script>alert(1)</script> (Double encoding)

Advanced Blacklist Filter Analysis:

The current filter removes these keywords with case variations: 'script', 'img', 'image', 'svg', 'onfocus'

This means these techniques can potentially bypass the filter:

Using alternative tags that aren't in the blacklist (iframe, body, marquee, object, embed)
Using alternative event handlers that aren't in the blacklist (onload, onerror, onmouseover, onstart)
Using HTML entities or character encoding
Using URL encoding or double encoding
Using null bytes or other special characters
Using tags/events that haven't been added to the blacklist yet

Filter Limitations:

Doesn't filter all possible HTML tags and events
Doesn't handle encoding variations
Doesn't filter JavaScript protocol handlers
Doesn't prevent all XSS vectors, only specific ones

Security Implications

Advanced blacklist filtering demonstrates:

Even comprehensive blacklists can be incomplete
Attackers can use alternative vectors not in the blacklist
Encoding techniques can bypass keyword-based filters
New HTML tags and events are constantly being added
Whitelist approaches are more secure than blacklists
Context-aware encoding is more reliable than keyword filtering
Security through obscurity is not a reliable strategy

Best Practices

For secure web applications:

Use whitelist validation instead of blacklists
Apply context-aware output encoding
Implement strict Content Security Policy (CSP) headers
Validate input based on expected data types
Use security libraries/frameworks for output encoding
Test with automated and manual security testing
Assume blacklists will eventually be bypassed
Regularly update security controls as new threats emerge

Real-World Security Implications

Common Advanced Filter Bypass Vectors:

Search forms: Often use sophisticated filtering that can still be bypassed
Input validation: Blacklists often miss edge cases and encoding variations
WAF bypasses: Web Application Firewalls often use blacklists that can be evaded
API endpoints: Often have inconsistent validation across parameters

Impact of Advanced Filter Bypass:

Complete application compromise despite advanced filtering
Session hijacking through cookie theft
Account takeover attacks
Phishing attacks from within the application
Defacement of application content
Data exfiltration

Advanced Prevention Strategies:

Whitelist validation: Only allow known-safe characters/patterns
Output encoding: Always encode before output based on context
Content Security Policy: Implement strict CSP headers
Input sanitization: Use libraries like DOMPurify for HTML content
Regular security testing: Test all parameters with advanced bypass techniques
Security headers: Implement X-XSS-Protection, X-Content-Type-Options