Reflected XSS Bootcamp

Final Challenge: The Complete Ultimate Filter

Final Ultimate Challenge

Lab Overview

This is the final and most comprehensive XSS filter challenge! The filter now blocks 12 case variations of 'script' plus 'img', 'image', 'svg', 'audio', and 'video' tags.

Important Change: The filter is now applied to the Last Name field instead of First Name! Only Last Name is filtered and displayed.
Final Enhancement: The filter has been expanded to block 'video' tags, closing the last major media tag vector.
Complete Ultimate Filter: Blocks 12 case variations of 'script' plus 'img', 'image', 'svg', 'audio', and 'video'
Blocked tags and variations:
script
Script
sCript
scRipt
scrIpt
scriPt
scripT
SCript
SCRipt
SCRIpt
SCRIPt
SCRIPT
img
image
svg
audio
video
Filter method: str_replace(array('script','Script','sCript',...,'video'), '', $_GET['lname'])
Filter Complexity: Maximum-Level Blacklist

Objective: Bypass the complete ultimate filter and execute a JavaScript alert.

Critical Note: Only the Last Name field is now filtered and displayed. The First Name field is unfiltered but not used in output.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','Script','sCript','scRipt',
                'scrIpt','scriPt','scripT','SCript',
                'SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'img','image','svg','audio','video');
    $re = str_replace($arr, '', $_GET['lname']);
    echo $re;
}
Test Input Form
This field has no filters but is not displayed in output
This field has 17 different filters applied - this is the field that gets displayed!
Supreme Bypass Techniques
  • Remaining HTML elements: body, iframe, object, embed, link, meta, base, form, input, button, select, textarea, source, track, canvas, details, summary, marquee (deprecated but works)
  • All event handlers: onload, onerror, onclick, onmouseover, onfocus, onblur, onchange, onsubmit, onreset, onselect, onabort, oncanplay, oncanplaythrough, ondurationchange, onemptied, onended, onloadeddata, onloadedmetadata, onloadstart, onpause, onplay, onplaying, onprogress, onratechange, onseeked, onseeking, onstalled, onsuspend, ontimeupdate, onvolumechange, onwaiting
  • Advanced encoding: Mixed HTML entities, URL encoding, and Unicode: <b&#111;dy onload=&#97;&#108;&#101;&#114;&#116;(1)>
  • JavaScript pseudo-protocol with encoding: <a href="j&#97;v&#97;script:alert(1)">click</a>
  • Data URI with multiple encoding layers: Base64, URL encoding, HTML entities
  • Unicode homoglyph attacks: Characters that look like blocked tags but are different
  • Mutation XSS (mXSS): Payloads that change during browser parsing
  • CSS injection in style attributes: Expression functions in older IE, other CSS-based attacks
  • Template injection: <template> with event handlers
  • MathML polyglots: Payloads that work as both HTML and MathML
  • Namespace confusion: Mixing HTML and SVG/other namespaces
The Final Achievement

This challenge represents the absolute maximum in blacklist filtering:

  • 17 different filter patterns including all case variations
  • Blocks all common multimedia and script tags
  • Demonstrates why blacklists can never be complete
  • Requires ultimate creativity and browser knowledge
  • The final test in the XSS filter bypass series
Master Status Unlocked

Successfully bypassing this filter proves:

  • Complete mastery of XSS evasion techniques
  • Deep understanding of browser behavior
  • Expert knowledge of HTML/JS encoding
  • Advanced creative problem-solving
  • Elite-level web security expertise
Complete XSS Mastery Journey
Level 1
Basic
Level 2
Multiple
Level 3
Extended
Level 4
Case Variations
Level 5
Comprehensive
Level 6
Ultimate
Level 7: Final Ultimate

You've reached the absolute final challenge in the XSS filter bypass series! This is the maximum complexity.