Reflected XSS on Target with tough WAF ( WAF Bypass )

I was doing web pentest on a private program. The program had a very tough WAF even typing alert as a payload would be blocked by WAF.

This website had a vulnerable test page which was vulnerable to XSS, which the developers had forgotten to remove after development of the website was over. I had found this endpoint by directory bruteforcing.

The vulnerable endpoint was like below.

The charset parameter was vulnerable to XSS, However the WAF protecting the website was blocking any XSS payloads to be executed on the website.

I followed the portswigger methodology for WAFbypass mentioned on

The method is to first copy all tags from portswigger xss cheatsheet and send to the website with intruder ( For example, Replace FUZZ with tags from portwsigger cheatsheat for below link )<FUZZ>

Note the tags which are not blocked, then FUZZ with events from portswigger cheat sheet. Note the events which are not blocked.

Now select the event and tag which are not blocked, Portswigger cheatsheet will give you the WAF bypassed payload to use

For the website I was testing, the only payload that worked was the below one. It only works on chrome browser.

“><xss onpointerrawupdate=console.log(‘XSS’)>Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_ClickHere</xss>

When the user moves cursor over Click_Here, XSS will keep getting printed on the console showing javascript execution.



Web App Pentester, Cybersecurity Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store