This tweet describes a bypass technique for a Web Application Firewall (WAF) targeting Cross-Site Scripting (XSS) vulnerabilities. The bypass payload is an obfuscated HTML tag using hexadecimal character references to encode the event handler. The payload uses ><Body/OnPageShow=confirm(1)>, which decodes to <Body/OnPageShow=confirm(1)>. This technique uses character entities to evade detection by some WAFs that filter based on typical XSS patterns. Vendors of WAFs, such as AWS WAF, Cloudflare, Imperva, and others, use pattern matching that can be bypassed with such obfuscations. However, the tweet does not specify which WAF vendor is affected. All technical details are about using encoded event handlers in HTML tags to trigger JavaScript execution, evading simple signature-based detection. The method is a form of XSS attack where character encoding is used to hide malicious scripts from WAF filters. This is a universal technique relevant to multiple WAF products.
Original tweet: https://twitter.com/xss0r/status/2037973177108767065
Subscribe for the latest news: