I'm trying to figure out what happened to a web app I was testing today.  I was blackbox testing the forum/discussion feature for an online learning app (written in Java) that allows users to post HTML, but has an XSS filter to block known bad HTML tags.  I've found some ways to bypass this particular filter before and was testing some new things today.  When I input something it doesn't like, I would get an error message like: "Forbidden Content: <evil>Boo</evil>"

Here's the strange part: at some point in my testing, it stopped blocking anything at all.  All of the things that it used to flag as "forbidden content" were allowed through.  I could use any tag I wanted including the obvious <script>.  What would cause this?

One guess is that that the routine is throwing an exception and that the exception is handled by simply returning as if everything is okay, but I don't know why it would do that every time.  Would there be a reason for it to maintain state?  If it does, I could see it getting so screwed up that it can't run without throwing an exception.

Is there something else it could be doing?  I don't have source code to check this and I've never run into a similar error while coding.

Thanks,

Unicityd

It wasn't part of a pen-test, just some independent research.  I'm the application admin for the system which is hosted by the vendor.  As far as I know, there isn't a way to turn the filter off (on purpose).

It's a production system, but school is out right now so I'm pretty much the only persson on.  I've always felt comfortable playing with XSS using a test course where there aren't any real users that I can harm.  The side effects I saw today surprised me.

I think I'm out of luck since I don't have the ability to debug this app.  I do know that it's a global issue since the problem persists on other accounts/machines.  I really wish I had source code so I could see what the hell they are doing.

I screwed up   I was using multiple test accounts and I mixed up and made one of the accounts a professor instead of a student.

So, the XSS filter functions although I can still bypass it using certain tags.

I would like to know why it blew away a discussion category though; definitely some data corruption at play there.