This tweet reveals a new bypass for Cloudflare's Web Application Firewall (WAF) that allows Cross-Site Scripting (XSS) attacks. The payload used for this bypass is %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E, which is a URL-encoded SVG element with the onload event triggering a JavaScript confirm dialog displaying the document's domain. This technique leverages SVG's capability to embed JavaScript execution in a way that may evade Cloudflare's filtering rules designed to block typical XSS payloads. Security researchers and bug bounty hunters can use this information to better understand the limitations of Cloudflare's WAF and to improve their testing methodologies for XSS vulnerabilities. It also serves as a reminder for developers to implement multiple layers of security beyond relying solely on WAF protections, such as proper input validation and output encoding.
For more details, check out the original tweet here: https://twitter.com/viehgroup/status/1975073388365488131