Reflected XSS Bootcamp

Extreme Challenge: Beyond Ultimate Filters

Extreme Challenge

Lab Overview

This challenge pushes beyond the limits of conventional filtering! The filter now blocks 12 case variations of 'script' plus 'img', 'image', 'svg', 'audio', 'video', and now 'body' tags.

Critical Update: The filter now blocks 'body' tags, closing one of the most reliable XSS vectors!
Beyond Ultimate: This filter now blocks the 'body' element, making this one of the most restrictive blacklists possible.
Extreme Filter: Blocks 12 case variations of 'script' plus 'img', 'image', 'svg', 'audio', 'video', and 'body'
Blocked tags and variations:
script
Script
sCript
scRipt
scrIpt
scriPt
scripT
SCript
SCRipt
SCRIpt
SCRIPt
SCRIPT
img
image
svg
audio
video
body
Filter method: str_replace(array('script','Script','sCript',...,'body'), '', $_GET['lname'])
Filter Complexity: Extreme-Level Blacklist

Objective: Bypass this extreme filter and execute a JavaScript alert.

Critical Note: Only the Last Name field is filtered and displayed. The First Name field is unfiltered but not used in output.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $arr = array('script','Script','sCript','scRipt',
                'scrIpt','scriPt','scripT','SCript',
                'SCRipt','SCRIpt','SCRIPt','SCRIPT',
                'img','image','svg','audio','video','body');
    $re = str_replace($arr, '', $_GET['lname']);
    echo $re;
}
Test Input Form
This field has no filters but is not displayed in output
This field has 18 different filters applied - including 'body' tag!
Impossible-Level Bypass Techniques
  • Remaining structural elements: iframe, object, embed, link, meta, base, form, input, button, select, textarea, source, track, canvas, details, summary, marquee, frameset, frame (deprecated), applet (deprecated)
  • All remaining event handlers: Any event handler on allowed elements: onload, onerror, onclick, onmouseover, onfocus, onblur, onchange, onsubmit, onreset, onselect, onabort, oncanplay, oncanplaythrough, ondurationchange, onemptied, onended, onloadeddata, onloadedmetadata, onloadstart, onpause, onplay, onplaying, onprogress, onratechange, onseeked, onseeking, onstalled, onsuspend, ontimeupdate, onvolumechange, onwaiting
  • Extreme encoding techniques: Mixed HTML entities, URL encoding, Unicode, and Base64: <iframe onload=alert(1)>
  • JavaScript pseudo-protocol with extreme encoding: <a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;:alert(1)">click</a>
  • Data URI with multiple encoding layers: Nested encoding techniques
  • Unicode normalization and homoglyph attacks: Characters that normalize to blocked tags
  • Advanced Mutation XSS (mXSS): Complex payloads that mutate during parsing
  • CSS injection in style attributes: Expression functions, other CSS-based attacks
  • Template and shadow DOM manipulation: Modern web component attacks
  • MathML and other namespace polyglots: Cross-namespace payloads
  • Browser-specific quirks and features: Exploiting parser differences
The Impossible Challenge

This filter represents the absolute edge of blacklist filtering:

  • 18 different filter patterns including all major tags
  • Blocks 'body' - one of the most versatile XSS vectors
  • Demonstrates why blacklists are fundamentally flawed
  • Requires thinking completely outside conventional methods
  • The ultimate test of XSS creativity and knowledge
Legend Status Achieved

Successfully bypassing this filter proves:

  • Legendary mastery of XSS evasion
  • Deep understanding of browser internals
  • Expert knowledge of encoding techniques
  • Unmatched creative problem-solving
  • God-tier web security expertise
Beyond Ultimate XSS Mastery
Level 1
Basic
Level 2
Multiple
Level 3
Extended
Level 4
Case Variations
Level 5
Comprehensive
Level 6
Ultimate
Level 7: Extreme

You've reached the extreme challenge - beyond ultimate! This filter blocks the 'body' element, making it one of the most restrictive blacklists possible.