A DOM XSS bypass was discovered for Akamai WAF. The payload used was 'javascript:window['al'+'er'+(['t','b','c'][0])](origin)'. Due to the referer header restriction, the URL cannot be opened directly, but an HTML exploit was used to send the payload to a server for exploitation. This bypass poses a serious security risk and highlights a vulnerability in Akamai WAF that allows an attacker to execute arbitrary JavaScript code on the target website. Security measures need to be implemented to prevent such bypasses in the future.
DOM XSS + Akamai Waf Bypass??
Payload: javascript:window['al'+'er'+(['t','b','c'][0])](origin)
The url can't open directly, due referer header, i put a html for exploit to my own server. pic.twitter.com/z0skB2CJbE
— mobin (@kobi_hk) April 4, 2025