Reflected XSS Bootcamp

Lab: Advanced Case-Sensitive Filter Bypass

Difficulty: High

Lab Overview

This lab demonstrates a reflected XSS vulnerability with an advanced filter that blocks multiple case variations of 'script', 'img', and 'image' tags.

Advanced Filter: Blocks 12 case variations of 'script' plus 'img' and 'image'
Blocked 'script' variations:
script
Script
sCript
scRipt
scrIpt
scriPt
scripT
SCript
SCRipt
SCRIpt
SCRIPt
SCRIPT
img
image
Filter method: str_replace(array('script','Script','sCript',...), '', $_GET['fname'])
Filter Complexity: Advanced Case-Sensitive Blacklist

Objective: Bypass the extensive case-sensitive filter and execute a JavaScript alert.

Note: Only the First Name field is filtered and displayed. The Last Name field is unfiltered but not used in output.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','Script','sCript','scRipt',
                'scrIpt','scriPt','scripT','SCript',
                'SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'img','image');
    $re = str_replace($arr, '', $_GET['fname']);
    echo $re;
}
Test Input Form
This field has 14 different filters applied including case variations
This field has no filters but is not displayed in output
Expert Bypass Techniques
  • Use completely different tags: The filter only blocks 'script', 'img', and 'image'. Try svg, body, iframe, object, embed
  • HTML entity encoding: Try encoding parts of your payload: <svg onload=alert(1)>
  • Nested tags: Use tag nesting that reconstructs after filtering: <scr<script>ipt>alert(1)</scr<script>ipt>
  • Unicode or special characters: Try using characters that look similar but are technically different
  • Event handlers on allowed tags: Use onmouseover, onfocus, onload on tags that aren't filtered
  • JavaScript protocol in links: Try <a href="javascript:alert(1)">click</a>
  • CSS expressions: In older IE, you could use <div style="width: expression(alert(1))">
Security Analysis

This lab demonstrates the limitations of even extensive blacklist filtering:

  • Attackers can use completely different tags and techniques
  • Encoding and obfuscation techniques defeat pattern matching
  • Maintaining comprehensive blacklists is impractical
  • Context-aware sanitization remains the only effective defense
  • Browser parsing behavior can create unexpected attack vectors
Enterprise Solutions

For enterprise-grade XSS prevention:

  • Implement strict Content Security Policy (CSP)
  • Use context-aware output encoding libraries
  • Adopt secure development frameworks with built-in protection
  • Conduct regular security testing and code reviews
  • Use Web Application Firewalls (WAF) as defense in depth
  • Implement proper input validation using whitelists