This post explains a simple bypass technique for Cloudflare's Web Application Firewall (WAF) that allows Cross-Site Scripting (XSS) attacks. Normally, a standard XSS payload like <img src=x onerror=alert()> is blocked by Cloudflare's WAF to prevent alert popups. However, by altering the HTML attributes and case, specifically using <Img Src=OnXSS OnError=alert(document.domain)>, the WAF is bypassed and the alert is triggered successfully. This indicates that Cloudflare's WAF may not be fully effective in filtering case-insensitive or non-standard attribute usage in XSS attempts. Bug bounty hunters and security researchers should be aware of such bypasses when testing web applications protected by Cloudflare. In summary, by manipulating the case and names of HTML attributes in an image tag, attackers can sneak past Cloudflare's defenses and execute client-side scripts via XSS vulnerabilities.
For more insights, check out the original tweet here: https://twitter.com/RezyDev/status/2032691911224602719. And don’t forget to follow @RezyDev for more exciting updates in the world of cybersecurity.