Bypass any WAF for XSS easily

Hello my fellow noob XSSer!
Today I am going to show you how to bypass any WAF for an XSS attack.

Methodology of Bypassing WAFs

WAFs are dumb programs.
You have to tell them that <script> is malicious and they will block it.
But an attacker can simply bypass this by modifying the the tag (keeping it valid) like this

So the attacker can come up with a payload like this:

Its that easy to bypass a WAF. There are just two simple rules,
1. Don’t make too much requests in a short amount of time. Delay of 6 seconds is enough, so don’t use any program for automation and if you do make sure its designed to work with WAFs.
2. You have to check what is allowed by WAF and what is not so you can come up with a payload after connecting all the pieces.
Lets start!
Step 1. Check if < and > are allowed or not. Nope, you don’t have to enter < and > as the input. Try entering <test> instead, it looks more like a tag. Got blocked? Try encoding them.

Step 2. Start desiging your payload. Enter something like this,

If WAF blocks it, remove the = and try again. If WAF blocks it as well, change the payload to <test/haha> and it should work. If it doesn’t try something else or try using a payload which doesn’t use = but you shouldn’t use a real payload, use a test payload as I am using.

Step 3. You got your basics payload working? Great.
Now lets check which event handlers are allowed by the WAF.
We can start if the WAF detects the event handlers by simply searching for on* so it would match onload, onstart etc.
So lets enter this first,

If it doesn’t get blocked by the WAF then you are going good, if it gets blocked, try a payload scheme that doesn’t use event handlers.
If it works then try to use a real world event handler like onfocus, onblur, onstart etc.
If it gets blocked, don’t worry its normal, you just have to find the event handlers that work.
Maybe WAF developer added onfocus to the block list but forgot to add onfocuschange. That happens a lot and thats how WAFs get bypassed. They are dumb af.

Step 4. You can’t just rely on event handlers, you have to check for the HTML tags as well.
Trying entering,

Make a list of event handlers and tags that are allowed by the WAF.

Step 5. Now lets try to get a popup by using our event handler and tags list.
Lets assume two cases:
First Case: WAF isn’t allowing any tags. There’s a bypass to that as well. You can use event handlers that do not depend on the tag like oncopy or oncut. So you can completely come up with a payload like this

Second Case: WAF is allowing <audio>, <svg> and <marquee> tags and onstart, onload and onblur event handlers.
svg is not compatible with onblur and onstart, similarly you can’t use onload, onblur with marquee. That’s where knowledge of web languges comes into play.
We can use <svg onload=> and <marquee onstart=>. <audio> isn’t compatible with any of the allowed event handlers.
So we can quickly come up with these two payloads:

Got your payload blocked? Don’t get stressed I know why it happend. Move on to the next step.

Step 6. I haven’t seen any WAF which doesn’t block alert() or <script>. Dude come on! Developers of WAFs aren’t that dumb, most commonly used attack vectors contain alert() or <script> and they know it as well.
So what are we going to do now? Read along.
First of all, alert() isn’t the only thing which can raise a popup, you can use confirm() or prompt() instead.
So you have the following weapons to choose from:

Wait! Lets upgrade them!

Lets upgrade them even more!

Yes, it is a good move to use alert() instead of alert(‘ok’) or alert(1).

Well I wrote this article to give you an idea of how you can bypass any WAF by reverse engineering it step by step.

Oh! Are you talking about reverse engineering a WAF? Well XSStrike‘s Ninja can do that very well.

WAF bypass script

There are many thing you will learn with time like which tags are compatible with which attributes. Like you can use <audio src=//14.rs> as a payload, where 14.rs is website which contains evil javascript. Or you can just simply use a custom payload like ” onload=”alert() according to the case. There’s just too much to learn, just go out and start researching!

Thanks to Brute Logic. He is a true master of XSS, visit his blog brutelogic.br. I have learned a lot from him.
Good luck!
Also Read: Full Path Disclosure Attack – Explained Tutorial

About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.


Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.