This tweet reveals a bypass technique for the Cloudflare Web Application Firewall (WAF) targeting cross-site scripting (XSS) protection. Typically, a direct onload event with an alert, such as <img src=x onload=alert(0)>, is blocked by Cloudflare WAF as it recognizes the typical pattern of an XSS attack. However, the payload <img src=x onload=console.log(alert(0))> manages to bypass the WAF. This bypass works because the onload event here triggers console.log with an alert inside it, an unusual pattern not caught by Cloudflare's filters. Essentially, this shows a way to evade WAF protections by embedding malicious code in a less obvious JavaScript call inside event handlers. For security teams and penetration testers, this highlights the importance of understanding how WAFs parse and filter input, as even minor syntactical changes in scripts can evade detections. When applying or updating WAF rules, it's key to consider these subtleties to prevent XSS vulnerabilities from slipping through the defense, especially for widely used products like Cloudflare.
Original tweet: https://twitter.com/jhon59687702/status/1939740411737825413