This tweet shares some clever tricks to bypass Web Application Firewalls (WAFs) that block the usage of the JavaScript `alert` function, commonly used in Cross-Site Scripting (XSS) attacks.
The `alert` function is often filtered or blocked by WAFs to prevent XSS attacks from executing arbitrary code in the victim's browser. However, the tweet demonstrates how attackers can obfuscate or construct the `alert` call in different ways to evade these filters.
1. `(function(x){this[x+`ert`](1)})`al“ – This technique uses a self-invoking function with dynamic property access to call `alert(1)`. It concatenates the string `al` with `ert` to form `alert`, thus bypassing simple string matching filters.
2. `window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)` – This method constructs the string `alert` using a combination of string concatenation and regular expression addition, exploiting JavaScript's type coercion and dynamic property access. This confuses the WAF's pattern matching.
3. `document['default'+'View'][`\u0061lert`](3)` – Here, the `alert` function is accessed as a property of `document.defaultView` with Unicode escaping for the letter `a` (`\u0061`). Using Unicode escapes can also bypass filters that only match ASCII strings.
These tricks demonstrate how attackers can use JavaScript's flexible syntax and dynamic features to evade WAFs that rely on simple pattern matching to block dangerous function calls like `alert`. For penetration testers and bug bounty hunters, understanding these bypasses is crucial for testing and securing web applications against advanced XSS attacks.
Remember to always test these techniques responsibly and only on systems you have permission to test.
For more insights, check out the original tweet here: https://twitter.com/1_X_Y_Z_1/status/1939504221620973649