Reflected XSS Bootcamp

Lab: Extended Filter Bypass Challenge

Difficulty: Medium

Lab Overview

This lab demonstrates a reflected XSS vulnerability with an extended filter that blocks 'script', 'img', and 'image' tags in the First Name parameter.

Active Filters: The application removes the following strings from the First Name parameter:

Filter method: str_replace(array('script','img','image'), '', $_GET['fname'])

Filter Complexity: Extended Blacklist

Objective: Bypass all three filters and execute a JavaScript alert.

Note: Only the First Name field is filtered and displayed. The Last Name field is unfiltered but not used in output.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','img','image');
    $re = str_replace($arr, '', $_GET['fname']);
    echo $re;
}

Test Input Form

Advanced Bypass Techniques

Try using tags that aren't in the blacklist - svg, body, iframe, object, embed
Experiment with case variations - the filter is likely case-sensitive
Consider using HTML entities or URL encoding to obfuscate your payload
Try nested tags that reconstruct after filtering - <scr<script>ipt>
Use alternative event handlers - onmouseover, onfocus, onload
Test with mixed-case tags - ScRiPt, iMg
Remember the filter only applies to First Name field

Security Implications

This lab demonstrates the fundamental weakness of blacklist-based filtering:

Attackers can easily bypass filters by using alternative tags
Case variations and encoding techniques defeat simple string replacement
Blacklists require constant updates as new attack vectors emerge
Context-aware sanitization is necessary for effective protection

Best Practices

For effective XSS prevention:

Use context-aware output encoding (HTML, JavaScript, URL)
Implement Content Security Policy (CSP) headers
Validate input using whitelists rather than blacklists
Use proven sanitization libraries like DOMPurify
Employ proper HTTP headers (X-XSS-Protection, X-Content-Type)