Listen to this Post

Introduction:
Web Application Firewalls (WAFs) like Akamai are the first line of defense for modern web applications, designed to filter and block malicious traffic. However, skilled attackers continually develop ingenious techniques to evade these protections, as demonstrated by a recent bug bounty discovery. This article deconstructs two novel Cross-Site Scripting (XSS) payloads that successfully bypassed a hardened Akamai WAF, revealing critical insights into modern offensive security.
Learning Objectives:
- Understand the mechanics of advanced JavaScript obfuscation and string concatenation for WAF evasion.
- Learn how to leverage rarely used JavaScript functions and properties like `.source` and `.call` to construct malicious code.
- Develop the skills to analyze and replicate complex XSS payloads for defensive testing and bug bounty hunting.
You Should Know:
1. Deconstructing the Script Tag Polyglot Bypass
The first payload is a masterclass in confusing a WAF’s parsing logic by creating a polyglot string that is interpreted differently by the browser than by the security filter.
`/ &x3c;img/src/ /`
Step-by-Step Guide:
/: This begins a multi-line comment in JavaScript. The WAF may see this and expect a comment, potentially lowering its guard for subsequent content.</script>: This is a common tag closer. It can be used to break out of an existing script context or to confuse naive WAF regex patterns that look for complete tags.&x3c;: This is the HTML entity for the less-than sign (<). The WAF might decode this after its primary parsing, allowing a tag to be formed later in the process that it initially missed.<script>: This tag is injected after the WAF’s filtering has been evaded by the previous obfuscation.window[/al/.source+/ert/.source](origin);: This is the core malicious payload. It avoids using the string “alert” directly.
`/al/.source` returns the string “al” from the regex literal.
`+/ert/.source` concatenates the string “ert” from the second regex.
The result iswindow["alert"](origin);, which executes the `alert` function using the `origin` property of the window as its argument.-
The Indirect eval() and Tagged Template Literals Bypass
The second payload employs a more esoteric JavaScript feature, tagged template literals, to execute code without using traditional parentheses, which are often heavily filtered.
`a=eval,c=[“a”],x=[“lert”],t=\${c}${x}(origin)`,a.call`1${t}“
Step-by-Step Guide:
a=eval: Assigns the `eval` function to the variablea. This is a simple obfuscation step.c=["a"], x=["lert"]: Stores parts of the function call in arrays. The WAF is unlikely to block the strings “a” or “lert” in isolation.- `t=\${c}${x}(origin)“: This constructs a string using template literal syntax. The variable `t` will equal the string “alert(origin)”.
-
a.call1${t}: This is the critical evasion technique. It uses the `.call` method of the `eval` function (now `a`) with a tagged template literal.is effectively interpreted as
The `.call` method normally takes a `thisArg` and a list of arguments: `func.call(thisArg, arg1, arg2)`.
When used with a tagged template literal, the first argument is an object containing an array of the string parts, and the subsequent arguments are the interpolated values.
The expression `a.call`1${t}a.call(["1", ""], "alert(origin)").
The `eval` function (a) executes the first interpolated value,"alert(origin)", as code. The `1` is a red herring used to structure the template. -
Essential JavaScript for WAF Evasion: The `.source` Property
The `.source` property of a RegExp object returns the source text of the regex as a string. This is invaluable for breaking up blacklisted keywords.
`let part1 = /al/.source; // “al”`
`let part2 = /ert/.source; // “ert”`
`let fullFunction = window[part1 + part2]; // window[“alert”]`
`fullFunction(“XSS”); // Executes alert(“XSS”)`
4. Mastering Tagged Template Literals for Code Execution
Tagged template literals allow a function to parse template literals. This can be abused with `eval` to execute code constructed from string fragments.
`const cmd = ‘alert’;`
`const arg = ‘origin’;`
`eval.call`anything${cmd}(${arg})“;`
// The `eval` function executes the string “alert(origin)”.
5. Leveraging HTML Encoding for Obfuscation
Using HTML entities like `&x3c;` (for <) and `&x3e;` (for >) can help hide tags from WAFs that decode input in a different order than the browser.
`// WAF might see: &x3c;script&x3e;`
`// Browser decodes to: “; // WAF might think the script block ends here`
`// …malicious code continues afterwards… `
7. Combining Techniques for a Robust Payload
The ultimate goal is to chain these techniques into a single, working payload. Start with HTML encoding, add comment noise, break keywords with .source, and finally execute using advanced JS functions like .call.
`// Conceptual payload combining multiple techniques`
`&x3c;script&x3e;/`
`a=/al/.source, b=/ert/.source;`
`eval.call`${a+b}(1)`;`
`/`
What Undercode Say:
- WAFs Are Not Magic Bullets. This case study proves that even top-tier WAF configurations can be bypassed by determined attackers using sophisticated obfuscation. Security must be a multi-layered approach, encompassing secure coding practices, regular penetration testing, and WAF deployment.
- The Evolution of Obfuscation is Endless. The use of `.source` and tagged template literals represents the next evolutionary step in payload obfuscation, moving beyond simple string splitting. Defenders must update their regex patterns and semantic analysis engines to understand these JavaScript nuances to have any chance of catching such attacks.
The bypass techniques showcased are not just theoretical; they were proven against a real-world Akamai implementation. This signifies a critical gap between the common regex-based rule sets employed by many WAFs and the JavaScript engine’s sophisticated parsing capabilities. For defenders, this means manual code review and SAST tools must be calibrated to flag not just the string “eval” or “alert,” but the complex patterns that can build them. For bug bounty hunters and offensive security professionals, it underscores the necessity of deep JavaScript knowledge. The era of simple script tag injection is over; the future belongs to those who can manipulate the very fundamentals of the language to their advantage.
Prediction:
The sophistication of these bypasses will rapidly trickle down into mainstream payload databases and automated tools. Within the next 12-18 months, we predict a significant rise in WAF-bypassing XSS attacks that leverage tagged template literals and property accessors, moving from the realm of advanced bounty hunters to more common exploit kits. This will force a major shift in the WAF industry, necessitating the integration of more advanced JavaScript emulation and behavioral analysis within their engines, rather than relying solely on static signature matching. Organizations that fail to adopt these next-generation WAF features or reinforce their security with rigorous output encoding will be highly vulnerable.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Koutora Anicet – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


