This tweet reveals a Web Application Firewall (WAF) bypass technique targeting Akamai and Cloudflare WAFs. The bypass involves using a complex and obfuscated payload that exploits event handlers and JavaScript functions in an unexpected manner within HTML tags. The payload employs an HTML <address> tag with an unconventional event handler named 'onscrollsnapchange'. This event handler is not a standard or commonly filtered event, which may allow the malicious JavaScript to execute unnoticed by the WAF. The script constructed in the event handler uses JavaScript's dynamic property access and base64 decoding techniques to execute the alert function with 'origin' as a message, which can be indicative of a proof of concept for cross-site scripting (XSS) attacks. The style attributes like 'overflow-y:hidden' and 'scroll-snap-type:x' along with the inner <div> with a 'scroll-snap-align:center' style make the payload visually unobtrusive while maintaining the execution context. In summary, this bypass technique leverages obscure and less commonly filtered HTML5 event attributes and obfuscation to evade detection by Akamai and Cloudflare WAFs. This represents a universal bypass approach potentially targeting XSS or other client-side code injection vulnerabilities.
Check out the original tweet here: https://twitter.com/u25tkarsh/status/1958636823145812037