KrazePlanetLabs - XSS Ultimate Filter Bypass Lab

Ultimate Challenge

Lab Overview

This is the ultimate XSS filter challenge! The filter now blocks 12 case variations of 'script' plus 'img', 'image', 'svg', and 'audio' tags.

Final Challenge Update: The filter has been expanded to block 'audio' tags, closing another common bypass vector.

Ultimate Filter: Blocks 12 case variations of 'script' plus 'img', 'image', 'svg', and 'audio'

Blocked tags and variations:

Filter method: str_replace(array('script','Script','sCript',...,'audio'), '', $_GET['fname'])

Filter Complexity: Ultimate-Level Blacklist

Objective: Bypass the ultimate filter and execute a JavaScript alert.

Note: Only the First Name field is filtered and displayed. The Last Name field is unfiltered but not used in output.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','Script','sCript','scRipt',
                'scrIpt','scriPt','scripT','SCript',
                'SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'img','image','svg','audio');
    $re = str_replace($arr, '', $_GET['fname']);
    echo $re;
}

Test Input Form

Legendary Bypass Techniques

Remaining HTML tags: Try body, iframe, object, embed, link, meta, base, form, input, button, select, textarea, video (not blocked), source, track
Advanced event handlers: Use onmouseover, onfocus, onload, onerror, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmouseup, onmouseenter, onmouseleave, onmousewheel, onscroll, onresize
Creative encoding: Try mixed encoding: <body onload=alert(1)>
JavaScript pseudo-protocol: <a href="javascript:alert(1)">click</a>
Data URI with encoding: <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
Unicode normalization attacks: Use characters that normalize to blocked tags
Mutation XSS (mXSS): Create payloads that mutate during parsing
CSS injection: Use style attributes with expression() or other CSS injection in supported browsers
Template injection: Try <template> tags with event handlers
MathML/SVG polyglots: Create payloads that parse differently in different contexts

The Ultimate Challenge

This represents the pinnacle of blacklist filter challenges:

16 different filter patterns including case variations
Blocks the most common XSS vectors
Demonstrates the fundamental weakness of blacklist approaches
Requires creative thinking and deep browser knowledge
Perfect for testing advanced XSS bypass techniques

Achievement Unlocked

Successfully bypassing this filter demonstrates:

Mastery of XSS bypass techniques
Deep understanding of browser parsing
Knowledge of HTML/JavaScript encoding
Creative problem-solving skills
Expert-level web security knowledge

Your XSS Mastery Journey

Level 1

Basic script filter

Level 2

Multiple tags

Level 3

Extended filters

Level 4

Case variations

Level 5

Comprehensive

Level 6

ULTIMATE

You've reached the final challenge in the XSS filter bypass series!