HIGH CVSS: 7.4 RESOLVED Web Security

Reflected XSS Filter Bypass via Search Parameter

A reflected XSS vulnerability was found in the search parameter of a government data portal. Common XSS payloads were blocked by a blacklist filter, but the filtering was bypassed using obfuscated JavaScript construction and character-code based string generation, allowing JavaScript execution in the application origin context.

Platform
Government Bug Bounty
Program
Public Program
Target
Government Data Portal
Read Time
10 min

Attack Chain 6 stages

1
Search Parameter Input
2
Reflected in HTML Response
3
Blacklist Filter Active
4
String.fromCharCode Obfuscation
5
Filter Bypass Confirmed
6
JavaScript Execution in Origin

Disclosure Timeline

2025-02-10 Target identified during public program recon
2025-02-12 Search parameter reflection discovered
2025-02-13 Blacklist filter behavior mapped
2025-02-14 Filter bypass via String.fromCharCode confirmed
2025-02-15 PoC documented, report submitted
2025-02-18 Report triaged as High severity
2025-03-05 Patch deployed, input sanitization updated
2025-03-08 Fix verified, report resolved

Reconnaissance

During reconnaissance of the government data portal, all user-facing input fields were mapped including search forms, filter parameters, and URL query strings. The search functionality at /search?q= was identified as reflecting user input directly into the HTML response body without proper encoding. Browser DevTools and Burp Suite were used to intercept and analyze the request/response cycle.

Vulnerability Discovery

The search parameter value was reflected inside an HTML attribute and also within a JavaScript context in the response page. Initial testing with standard XSS payloads revealed that a server-side blacklist filter was active, blocking common attack patterns. However, the filter operated on a keyword-matching basis rather than proper output encoding, suggesting bypass potential.

Filter Bypass Analysis

Payloads are intentionally sanitized for responsible disclosure and portfolio presentation.

Direct <script>alert(1)</script> — BLOCKED (keyword match)
Event handlers: onerror, onload, onfocus — BLOCKED
javascript: protocol in href — BLOCKED
Case variation: <ScRiPt> — BLOCKED (case-insensitive filter)
Double encoding: %253Cscript%253E — BLOCKED
String.fromCharCode() construction — NOT BLOCKED
eval() with character-code payload — NOT BLOCKED
Template literal backtick expressions — NOT BLOCKED

Payload Analysis

All payloads below are sanitized proof-of-concept examples. No active exploitation code is shown.

Step 1: Standard payload — blocked
✗ BLOCKED 
<script>alert(document.domain)</script>
NOTE: Keyword "script" triggers blacklist filter
Step 2: Event handler approach — blocked
✗ BLOCKED 
<img src=x onerror=alert(1)>
NOTE: Event handler keywords (onerror, onload) are in the blacklist
Step 3: Case and encoding variations — blocked
✗ BLOCKED 
<ScRiPt>alert(1)</ScRiPt>
%3Cscript%3Ealert(1)%3C/script%3E
NOTE: Filter handles case-insensitive matching and URL decoding before comparison
Step 4: String.fromCharCode construction — BYPASS
⚡ BYPASSED 
"><img src=x onerror=eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))>
NOTE: Decoded payload: alert(document.domain) — harmless PoC. The filter does not analyze JavaScript construction functions.
Step 5: Confirmed PoC — JavaScript executed
⚡ BYPASSED 
/search?q="><img+src=x+onerror=eval(String.fromCharCode(97,108,...))>
NOTE: URL sanitized and shortened. alert(document.domain) fires in application origin — confirms reflected XSS.

Tooling

Browser DevTools — inspecting reflected output in DOM
Burp Suite — intercepting and modifying search requests
Manual payload crafting — iterative filter bypass testing
JavaScript console — validating String.fromCharCode encoding

Chaining Strategy & Escalation

The reflected XSS executes in the context of the government data portal origin. In a real attack scenario, this could be weaponized via a crafted URL sent to an authenticated user. Potential escalation includes: session cookie theft (if HttpOnly flag is not set), DOM manipulation to display phishing content, keylogging on the current page, or redirecting to an attacker-controlled domain. The PoC was limited to alert(document.domain) to demonstrate the vulnerability without causing harm. No cookies, tokens, or user data were accessed during testing.

Root Cause Analysis

The application relied on a server-side blacklist filter that matched specific keywords (script, onerror, onload, javascript:) instead of implementing proper context-aware output encoding. The filter did not account for JavaScript string construction functions like String.fromCharCode() or eval(), allowing obfuscated payloads to pass through. The fundamental issue is using input validation as the sole defense against XSS rather than output encoding at the point of rendering.

Impact Assessment

Arbitrary JavaScript execution in application origin context
Potential session hijacking via crafted URL targeting authenticated users
DOM manipulation enabling phishing or misinformation on official government page
User credential harvesting via injected login forms
Reputational damage to government digital infrastructure

Remediation

Implement context-aware output encoding (HTML entity encoding for HTML context, JavaScript escaping for JS context)
Replace blacklist filtering with a Content Security Policy (CSP) that restricts inline script execution
Use a well-tested sanitization library (e.g., DOMPurify) for any user-generated HTML rendering
Add HttpOnly and Secure flags to all session cookies to mitigate cookie theft
Implement input validation as a defense-in-depth layer, not as the primary XSS defense

This case study follows responsible disclosure practices. All sensitive data including endpoints, credentials, customer information, and active exploitation payloads have been redacted or sanitized. The vulnerability was reported through the official bug bounty program and has been resolved.