Bypass stripos XSS prevention

I need to bypass a XSS check which is using stripos to prevent using script tags by detecting the work "script"
if (stripos($a, 'script') !== false) return false; return true;

Open in new window

The web server also has a CSP policy (default-src none; script-src: nonce-key) and requires a nonce parameter within the script tag.
Thank you for your help.
Alexandros KakourisAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

XSS isn't executed within PHP. It's a technique / concept executed within the browser at runtime, and that's where the CSP policy and everything will apply. If you have that PHP code that just checks for "script" within $a, then you can bypass it by just returning true before it runs:

return true; // <======
if (stripos($a, 'script') !== false) return false; return true;
Alexandros KakourisAuthor Commented:
I have no access to change the php code and I need to bypass it as a client.
You cannot override PHP code on the server as a client. That's why server-side code is used for security. If clients code override PHP code whenever they wanted, it would be mass chaos.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

NerdsOfTechTechnology ScientistCommented:
Bypass: XSS can be done without specifying 'script' or 'javascript' like below, as javascript is the implied scripting language on major browsers:

<b onmouseover=alert('XSS')>hover over me</b>

Open in new window

(albeit the HTML will be slightly invalid, but it works)

Therefore if that is the sanitation method used on that site, it's not a very good one.

However, most sites (that are secure) will sanitize inputs. Such 'security' is a fundamental factor of server-side scripting: it's not designed for users to be able to change the code. Otherwise like
@gr8gonzo said, if users could change scripts on servers, it would be pandemonium.

Better XSS prevention: For the server-side, to protect the server from XSS attacks, one way is to replace any non-alphanumeric with null inside the input, like this (form of sanitization):
$a = preg_replace ('/[^a-z0-9]/i', '', $a);

Open in new window

Julian HansenCommented:
How do I bypass XSS security - if that were possible what would be the point of the security in the first place.

The only solution (as Gr8gonzo has pointed out) is to bypass the code in the script by modifying the script. If it were possible to do it any other way then you would have a security hole big enough to drive a bus through and the script would be pointless.

Let's approach this from a different perspective - what is it you are wanting to do - why do you want to bypass the script?

BTW the check is not great = checking for 'script' will yield a false positive on every word that contains that sequence of letters.

NerdsOfTechTechnology ScientistCommented:
From a security standpoint, XSS should not be allowed. Therefore, if you are able to bypass the script, and execute any form of XSS, better security (such as stricter filters) should be implemented.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.