Reflected XSS — CloudFlareWAF Bypass 😉
Sometimes simple payloads help to bypass the WAF filter.
Hello Folks, in this article let’s see how I executed the XSS on Cloudflare WAF Protected web app.
Let’s get Started !! 😉
This is one of my old targets, If I want to spend some time on pen-testing, I usually test this application, so that I can try all the possible bypass, flaws, and good new findings here.
This time my aim is to find XSS in various endpoints, I already reported 4–5 RXSS/Stored XSS before, but I’m very much sure this application is still vulnerable to XSS on other endpoints as well, because they still use the legacy technology to serve the contents.
The targeted application uses Cloudflare WAF for security defense, I found this during my recon.
Firstly, I started finding the hidden parameter in this application and found some juicy information;
Then I started injecting the JavaScript payloads into the enumerated params, but no luck.
Then I opened the main URL and started injecting the CRLF payloads to exploit the XSS and again didn’t work.
But I got to know that there is a reflection in the response of the CRLF payload 👇
Then I started injecting one by one XSS payload to see whether it is reflecting or not.
Below are the payloads:
';a=prompt,a()//
'-eval("window['pro'%2B'mpt'](8)")-'
"-eval("window['pro'%2B'mpt'](8)")-"
"onclick=prompt(8)>"@x.y
"onclick=prompt(8)><svg/onload=prompt(8)>"@x.yI got the Cloudflare 403 Forbidden Error, which means the WAF is blocking me to execute the JS payloads.
But remember, I’m very sure, many times a simple payload will help you to get the XSS.
Simply, I crafted “><script>alert(1)</script> and injected it in the main URL, and immediately I got the reflection in the response.
Then immediately, I opened the response in the browser, to check whether the injected payload will pop up or not.
Surprisingly it worked……
That’s awesome.
Great………………………………..
That’s it for this write-up.
Happy Hacking 🥂🥂
Thanks for reading.
Please follow me for more writeups.
