Hello my fellow noob XSSer!
Today I am going to show you how to bypass any WAF for an XSS attack.
Methodology of Bypassing WAFs
WAFs are dumb programs.
You have to tell them that <script> is malicious and they will block it.
But an attacker can simply bypass this by modifying the the tag (keeping it valid) like this
So the attacker can come up with a payload like this:
<script x>alert('XSS')<script y>
Its that easy to bypass a WAF. There are just two simple rules,
1. Don’t make too much requests in a short amount of time. Delay of 6 seconds is enough, so don’t use any program for automation and if you do make sure its designed to work with WAFs.
2. You have to check what is allowed by WAF and what is not so you can come up with a payload after connecting all the pieces.
Step 1. Check if < and > are allowed or not. Nope, you don’t have to enter < and > as the input. Try entering <test> instead, it looks more like a tag. Got blocked? Try encoding them.
Step 2. Start desiging your payload. Enter something like this,
<test haha=x >.
If WAF blocks it, remove the = and try again. If WAF blocks it as well, change the payload to <test/haha> and it should work. If it doesn’t try something else or try using a payload which doesn’t use = but you shouldn’t use a real payload, use a test payload as I am using.
Step 3. You got your basics payload working? Great.
Now lets check which event handlers are allowed by the WAF.
We can start if the WAF detects the event handlers by simply searching for on* so it would match onload, onstart etc.
So lets enter this first,
If it doesn’t get blocked by the WAF then you are going good, if it gets blocked, try a payload scheme that doesn’t use event handlers.
If it works then try to use a real world event handler like onfocus, onblur, onstart etc.
If it gets blocked, don’t worry its normal, you just have to find the event handlers that work.
Maybe WAF developer added onfocus to the block list but forgot to add onfocuschange. That happens a lot and thats how WAFs get bypassed. They are dumb af.
Step 4. You can’t just rely on event handlers, you have to check for the HTML tags as well.
<svg onxxx=xxx>, <marquee onxxx=xxx>, <audio onxxx=xxx> etc.
Make a list of event handlers and tags that are allowed by the WAF.
Step 5. Now lets try to get a popup by using our event handler and tags list.
Lets assume two cases:
First Case: WAF isn’t allowing any tags. There’s a bypass to that as well. You can use event handlers that do not depend on the tag like oncopy or oncut. So you can completely come up with a payload like this
<x oncopy=alert('XSS')>copy this or <haha onclick=alert('XSS')>click here
Second Case: WAF is allowing <audio>, <svg> and <marquee> tags and onstart, onload and onblur event handlers.
svg is not compatible with onblur and onstart, similarly you can’t use onload, onblur with marquee. That’s where knowledge of web languges comes into play.
We can use <svg onload=> and <marquee onstart=>. <audio> isn’t compatible with any of the allowed event handlers.
So we can quickly come up with these two payloads:
<svg onload=alert('XSS')> or <marquee onstart=alert('XSS')>
Got your payload blocked? Don’t get stressed I know why it happend. Move on to the next step.
Step 6. I haven’t seen any WAF which doesn’t block alert() or <script>. Dude come on! Developers of WAFs aren’t that dumb, most commonly used attack vectors contain alert() or <script> and they know it as well.
So what are we going to do now? Read along.
First of all, alert() isn’t the only thing which can raise a popup, you can use confirm() or prompt() instead.
So you have the following weapons to choose from:
alert() prompt() confirm()
Wait! Lets upgrade them!
alert`` prompt`` confirm``
Lets upgrade them even more!
(alert)`` (prompt)`` (confirm)``
Yes, it is a good move to use alert() instead of alert(‘ok’) or alert(1).
Well I wrote this article to give you an idea of how you can bypass any WAF by reverse engineering it step by step.
Oh! Are you talking about reverse engineering a WAF? Well XSStrike‘s Ninja can do that very well.