This tweet reveals a bypass technique for the Cloudflare Web Application Firewall (WAF) specifically targeting Cross-Site Scripting (XSS) vulnerabilities. The payload used for this bypass is: Function("\x61\x6c\x65\x72\x74\x28\x31\x29")(). This payload leverages JavaScript's Function constructor with hexadecimal encoding to evade detection by the WAF. \x61\x6c\x65\x72\x74 corresponds to the string 'alert', so the payload essentially executes alert(1), a common XSS test payload. By encoding the characters in hexadecimal, the Cloudflare WAF may fail to properly identify this as a malicious script, allowing the attack to succeed. This bypass technique highlights how attackers can use obfuscation methods like hexadecimal encoding to circumvent security filters. It's important for security teams to continuously update their WAF signatures and heuristics to detect such obfuscated payloads and protect web applications from XSS attacks.
Original tweet: https://twitter.com/N45HTOfficial/status/2040870470741066060