This bypass technique targets Cloudflare's Web Application Firewall (WAF), which blocks typical <script> tags used for Cross-Site Scripting (XSS) attacks. However, Cloudflare does not block certain alternative HTML elements and attributes which can execute malicious scripts. For example, <svg/onload=alert(1)> and <math><set onbegin=confirm(1)> utilize SVG and MathML elements with event handlers that trigger JavaScript execution. An iframe with a srcdoc attribute containing an SVG element can also be used to inject scripts. Bypassing techniques include base64 injection to encode payloads, using 'src=javascript:' inside iframes, and exploiting various event attributes like ontoggle or onmouseenter to trigger scripts. Understanding these bypass vectors is important for improving WAF rules and preventing XSS vulnerabilities.
For more details, check out the original tweet here: https://twitter.com/myselfakash20/status/1938158806782857409