I was doing web pentest on a private program. The program had a very tough WAF even typing alert as a payload would be blocked by WAF.
This website had a vulnerable test page which was vulnerable to XSS, which the developers had forgotten to remove after development of the website was over. I had found this endpoint by directory bruteforcing.
The vulnerable endpoint was like below.
https://redacted.com/redacted/origin/test?charset=%C3%A9a
The charset parameter was vulnerable to XSS, However the WAF protecting the website was blocking any XSS payloads to be executed on the website.
I followed the portswigger methodology for WAFbypass mentioned on https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
The method is to first copy all tags from portswigger xss cheatsheet and send to the website with intruder ( For example, Replace FUZZ with tags from portwsigger cheatsheat for below link )
https://redacted.com/redacted/origin/test?charset=<FUZZ>
Note the tags which are not blocked, then FUZZ with events from portswigger cheat sheet. Note the events which are not blocked.
Now select the event and tag which are not blocked, Portswigger cheatsheet will give you the WAF bypassed payload to use
For the website I was testing, the only payload that worked was the below one. It only works on chrome browser.
“><xss onpointerrawupdate=console.log(‘XSS’)>Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_ClickHere</xss>
When the user moves cursor over Click_Here, XSS will keep getting printed on the console showing javascript execution.
