Reflected XSS Bootcamp

Lab: Multi-Filter Bypass Challenge

Difficulty: Medium

Lab Overview

This lab demonstrates a reflected XSS vulnerability with multiple filters that attempt to block both 'script' and 'img' tags in the First Name parameter.

Active Filters: The application removes the following strings from the First Name parameter:
  • BLOCKED 'script'
  • BLOCKED 'img'
Filter method: str_replace(array('script','img'), '', $_GET['fname'])

Objective: Bypass both filters and execute a JavaScript alert.

Note: Only the First Name field is filtered. The Last Name field is unfiltered but not displayed.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','img');
    $re = str_replace($arr, '', $_GET['fname']);
    echo $re;
}
Test Input Form
This field has 'script' and 'img' filters applied
This field has no filters but is not displayed
Hints & Bypass Techniques
  • Try using tags that aren't blocked - svg, body, iframe, etc.
  • Experiment with case variations - filters are often case-sensitive
  • Consider using nested tags that reconstruct after filtering
  • Try event handlers on allowed tags - onmouseover, onload, etc.
  • HTML entities or encoding might help bypass the filters
  • Remember that only First Name is filtered and displayed
Security Note

This lab demonstrates why blacklist-based filtering is insufficient for XSS prevention. Attackers can easily bypass filters by using alternative tags, case variations, or encoding techniques.

Real-world recommendation: Use whitelist-based validation and context-aware output encoding instead of blacklists. Libraries like DOMPurify properly handle these edge cases.