WAF bypass by LooseSecurity

Date: January 27, 2021Author: wafbypass

Beautiful WAF bypass I just found:

Strips specific tags, including ‘<>’.
Blocks all event handlers.

So I used ‘on<>load’ instead. It checks it; not an event handler. Then it strips the ‘<>’ and the script gets added to the page!

Example of when extra security measures is worse

Subscribe for the latest news:

Web application firewalls bypasses collection and testing tools