KrazePlanetLabs - Comprehensive Blacklist Filter XSS Lab

Comprehensive Blacklist Challenge

Lab Overview

This lab demonstrates an extensive blacklist filtering approach applied to multiple hidden parameters. The filter includes case variations, multiple event handlers, and dangerous functions, making this a challenging test of advanced bypass techniques.

Extensive Blacklist Filtering: All hidden parameters use the same comprehensive str_replace() filter that blocks multiple case variations, event handlers, tags, and JavaScript functions.

Multiple Hidden Parameters: There are 7 hidden parameters (id, cat, page, number, page_id, categoryid) not shown in the main form. Use tools like Arjun to discover them all!

# use arjun tool to find hidden parameters: id, cat, page, number, page_id, categoryid

Parameter Security Levels:

Secure fname, lname - Uses htmlspecialchars()

Extensive Filter 7 parameters - Same comprehensive blacklist

Advanced Filtering Multiple case variations and events blocked

Multiple Vectors 7 parameters to test advanced bypass techniques

Comprehensive Blacklist Filter Details:

Case Variations Blocked:

script Script sCript scRipt scrIpt scriPt scripT SCript SCRipt SCRIpt SCRIPt SCRIPT

Event Handlers Blocked:

ontoggle onmousemove onmouseover onfocus

Tags Blocked:

img image svg details

JavaScript Functions Blocked:

alert confirm prompt eval

Parameter: id

Extensive blacklist filter

Parameter: cat

Extensive blacklist filter

Parameter: page

Extensive blacklist filter

Parameter: number

Extensive blacklist filter

Parameter: page_id

Extensive blacklist filter

Parameter: categoryid

Extensive blacklist filter

Secure Parameters (fname, lname):

Input: <script>alert(1)</script>

Output: <script>alert(1)</script>

Extensive Blacklist Filtered:

Input: <ScRiPt>alert(1)</ScRiPt>

Output: <>()</>

The same comprehensive blacklist filter is consistently applied to all 7 hidden parameters, making this a challenging test case for advanced bypass techniques.

Overall Security Level: High Security (but still vulnerable)

Objective: Discover all 7 hidden parameters and find creative ways to bypass the extensive blacklist filtering to execute XSS payloads.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["id"])){
    $arr = array('details','alert','confirm','prompt','eval','details',
                'ontoggle','onmousemove','onmouseover',
                'script','Script','sCript','scRipt','scrIpt','scriPt',
                'scripT','SCript','SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'script','img','image','svg','onfocus');
    $re = str_replace($arr, '', $_GET['id']);
    echo $re;
}
// Same filter applied to: cat, page, number, page_id, categoryid

Test Input Forms

Visible Parameters (HTML Encoded)

Hidden Parameters (Extensive Blacklist Filtered)

Hint: 7 parameters (id, cat, page, number, page_id, categoryid) are hidden but implemented with the same extensive blacklist filtering.

Parameter 'id' Extensive Filter

Uses comprehensive blacklist filtering

Parameter 'cat' Extensive Filter