Reflected XSS Bootcamp

Lab: Comprehensive Filter Bypass Challenge

Difficulty: Expert

Lab Overview

This lab demonstrates a reflected XSS vulnerability with a comprehensive filter that blocks multiple case variations of 'script', 'img', 'image', and now 'svg' tags.

Challenge Update: The filter has been enhanced to block 'svg' tags, closing a common bypass vector from the previous challenge.
Comprehensive Filter: Blocks 12 case variations of 'script' plus 'img', 'image', and 'svg'
Blocked tags and variations:
script
Script
sCript
scRipt
scrIpt
scriPt
scripT
SCript
SCRipt
SCRIpt
SCRIPt
SCRIPT
img
image
svg
Filter method: str_replace(array('script','Script','sCript',...,'svg'), '', $_GET['fname'])
Filter Complexity: Expert-Level Comprehensive Blacklist

Objective: Bypass the comprehensive filter and execute a JavaScript alert.

Note: Only the First Name field is filtered and displayed. The Last Name field is unfiltered but not used in output.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','Script','sCript','scRipt',
                'scrIpt','scriPt','scripT','SCript',
                'SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'img','image','svg');
    $re = str_replace($arr, '', $_GET['fname']);
    echo $re;
}
Test Input Form
This field has 15 different filters applied including case variations and 'svg'
This field has no filters but is not displayed in output
Master-Level Bypass Techniques
  • Alternative HTML tags: Try body, iframe, object, embed, link, meta, base
  • Event handlers on allowed tags: Use onmouseover, onfocus, onload, onerror on tags that aren't filtered
  • HTML entity encoding: Try partial encoding: <b&#111;dy onload=alert(1)>
  • JavaScript protocol in attributes: <a href="javascript:alert(1)">click</a>
  • Data URI scheme: <object data="data:text/html,<script>alert(1)</script>">
  • Unicode and special characters: Use characters that normalize to blocked tags after parsing
  • Nested and broken tags: Create malformed HTML that browsers parse differently than expected
  • CSS-based attacks: Use style attributes with expression() or other CSS injection
Security Implications

This comprehensive filter demonstrates the fundamental flaw in blacklist approaches:

  • Attack vectors are virtually unlimited while blacklists are finite
  • Browser parsing quirks create unexpected attack surfaces
  • Maintenance burden increases exponentially with each new vector
  • False sense of security leads to inadequate protection
  • Performance impact grows with larger blacklists
Industry Best Practices

For production applications, always use:

  • Context-aware output encoding: Encode for HTML, JavaScript, CSS contexts
  • Content Security Policy (CSP): Restrict script execution sources
  • Input validation: Use whitelists, not blacklists
  • Security libraries: DOMPurify, OWASP Java Encoder, etc.
  • Security headers: X-XSS-Protection, X-Content-Type-Options
  • Regular security testing: SAST, DAST, and manual testing
Learning Progression
Basic

Simple script tag filter

Intermediate

Multiple tag filters

Advanced

Case variations

Expert

Comprehensive filters