When it comes to web application security, Cross-Site Scripting (XSS) attacks are a persistent threat that continues to challenge developers and security professionals. Web Application Firewalls (WAFs) are designed to detect and block such attacks, but as with any security measure, they aren’t foolproof. For penetration testers, bug bounty hunters, and ethical hackers, finding a way to bypass WAFs is a continuous quest. This blog dives deep into bypassing WAFs with XSS payloads that work across various platforms and systems.
Understanding XSS and WAFs
Cross-Site Scripting (XSS) is a common vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. These scripts can steal session cookies, redirect users, or perform other malicious activities. On the defense side, Web Application Firewalls (WAFs) serve as gatekeepers, inspecting incoming and outgoing HTTP/HTTPS traffic to filter out potential threats, including XSS payloads.
However, no WAF is perfect. Attackers constantly evolve their tactics to outsmart these defenses. One popular approach involves crafting “universally effective” payloads—XSS scripts that are more likely to bypass WAFs due to their unique structure or encoding.
The Challenge: Bypassing WAFs
A common challenge for many penetration testers is that XSS injections are often blocked by WAFs. WAFs utilize a combination of pattern matching, heuristic analysis, and other detection methods to block potential XSS attempts. The objective is to create a “universal” payload that could bypass these defenses across multiple scenarios.
Initially, it was observed that websites using Cloudflare, a well-known WAF provider, could be vulnerable. Although Cloudflare’s WAF is considered robust, it can still be bypassed using various payloads available online. These payloads manipulate how scripts are executed in the browser to slip past WAF filters.
Here are some examples of basic payloads often used in tests:
html:
<img src=x onerror=prompt(1)>
<svg onload=prompt(document.domain)>
<img src=on onerror=alert(1)>
These payloads exploit different HTML tags and JavaScript event handlers (onerror
, onload
, etc.) to execute scripts. However, many of these standard payloads are quickly detected by most WAFs because they follow predictable patterns.
Exploring Advanced Techniques for WAF Bypass
The real breakthrough comes from manipulating JavaScript events with specific character sequences that aren’t traditionally blacklisted by WAFs. One of the key methods involves adding a character before a JavaScript event name, making the payload syntactically acceptable to some WAFs while still being functional.
Example of Payload Manipulation:
Description | Status |
---|---|
The WAF blocks | 403 Forbidden |
The payload passes | 200 OK |
The payload is syntactically valid | Valid |
The payload is syntactically invalid | Invalid |
By adding characters like /
or a
before the event name (onerror
), it is sometimes possible to bypass WAFs:
html:
/onerror=alert(1) <!-- Returns 403 (Forbidden) but is Valid -->
aonerror=alert(1) <!-- Returns 200 (OK) but is Invalid -->
While the payloads with added characters (/
or a
) might bypass the WAF, they remain syntactically invalid. So, a method is needed to make them valid.
The Game-Changer: HTML Entities
To make these payloads valid while still evading WAF detection, HTML entities—special sequences that represent characters in HTML—can be used. By replacing certain characters with their entity equivalents, it is possible to create payloads that WAFs would deem safe, but that would still execute in the browser.
Using HTML Entities in Payloads:
For example, replacing quotes ("
) with "
or apostrophes ('
) with '
can trick a WAF into thinking the payload is benign:
html:
<x x="""onerror=alert(1)>
This payload uses the "
entity to replace the double quote, allowing it to bypass some WAFs while maintaining syntactical validity.
HTML entities come in three main types:
- Named Entities: These are easier to remember and use for common characters.
"
->"
'
->'
<
-><
>
->>
- Hexadecimal Entities: Useful for bypassing filters that focus on specific patterns.
"
->"
'
->'
- Numeric Entities: These can sometimes bypass poorly configured WAF filters.
"
->"
'
->'
With these entities, payloads that WAFs don’t recognize as malicious can be created:
html:
<x x="""onerror=alert(1)>
Using these entities allows for flexibility in crafting payloads that evade detection and execute properly in the browser.
Applying Payloads to Different WAFs
Once this technique was developed, it was tested against various WAFs to assess its effectiveness.
- Imperva & Incapsula: Both of these WAFs were successfully bypassed using the crafted payload:htmlCopy code
<details/open/id="""ontoggle=alert(1)>
The payload was effective and executed as intended without being blocked. - Amazon (CloudFront): Similarly, Amazon’s CloudFront WAF allowed the payload to bypass its filters:htmlCopy code
<details/open/id="""ontoggle=alert(1)>
This further demonstrated the effectiveness of using HTML entities to trick WAFs. - Akamai: For Akamai, an additional layer of manipulation was needed. More quotes were added to the payload to make it work:htmlCopy code
<details open id="'"'" ontoggle=alert(1)>
This payload successfully bypassed Akamai’s WAF after these modifications.
Why HTML Entities Work So Well
HTML entities are particularly powerful because many WAFs focus on blocking certain strings or patterns. When entities are used, the WAF may not recognize the underlying character it’s trying to block. For example, "
may bypass a filter looking for "
, allowing the payload to slip through.
Another advantage is that as many zeroes as desired can be used with Hexadecimal and Numeric entities, which is often poorly filtered by many WAFs:
html:
" -> " -> "
This technique further obfuscates the payload, making it even harder for WAFs to detect.
Conclusion
By understanding the limitations of WAFs and leveraging creative payload manipulations—especially using HTML entities—security professionals can develop more effective XSS payloads for penetration testing and bug bounty programs. Leveraging these advanced payloads can identify and patch vulnerabilities in web applications before they are exploited by malicious hackers.
At WebOrion, staying ahead in the field of cybersecurity involves constantly exploring and documenting new techniques, including those using AI and ML, to bypass modern security defenses like WAFs. The more knowledge shared with the security community, the better prepared everyone is to tackle emerging threats.
For those who are interested in diving deeper into these techniques, WebOrion maintains a comprehensive GitHub repository that various XSS bypass payloads. This repository serves as a valuable resource for security professionals, offering up-to-date information and a collection of effective payloads to help understand and overcome modern WAF defenses. Regular updates ensure that the repository remains relevant in the face of evolving threats and technologies.
Disclaimer: This blog is intended for educational purposes only. The techniques discussed here should only be used in ethical hacking and bug bounty scenarios, with full authorization from the target organization.