This tweet reveals a clever technique to bypass Web Application Firewalls (WAFs) using a Cross-Site Scripting (XSS) payload. The key trick is the use of double event handlers along with a newline character (%0a) inserted between them. The payload given is "> <img/src=/Onerror%0aOnerror=alert(1)//. Essentially, the attacker uses an <img> tag with the 'onerror' event handler declared twice, separated by a newline character encoded as %0a. Many WAFs fail to properly sanitize this kind of input because some filters do not expect event handlers split across lines or multiple handlers in one tag. The newline character disrupts the WAF's pattern matching, allowing the malicious script (alert(1) JavaScript) to execute. This technique is particularly effective against WAFs that do not normalize input sufficiently or that perform line-based filtering. To summarize: – Vulnerability type: XSS (Cross-Site Scripting) – Technique: Using double event handlers with a newline character to bypass WAF filters – Payload example: "><img/src=/Onerror%0aOnerror=alert(1)// – Impact: Allows attackers to execute arbitrary JavaScript in the context of the victim browser, potentially leading to data theft, session hijacking, or further attacks. Defenders should ensure that WAF rules properly normalize input by removing newline characters and validating event handlers more comprehensively. This example highlights the importance of robust input validation and sanitization for preventing XSS attacks and improving WAF effectiveness.
For more insights, check out the original tweet here: https://twitter.com/PsalmWell/status/2042925655889703317