Cross-Site Scripting (XSS) remains a critical web vulnerability, and modern Web Application Firewalls (WAFs) are evolving to detect and block traditional payloads. However, attackers continuously refine techniques to bypass these protections. This article dissects an advanced XSS payload designed to evade Microsoft’s 2025 WAF by leveraging double-encoding, indirect function calls, and DOM manipulation.
Learning Objectives:
Understand how double-encoded HTML entities bypass single-layer WAF decoding.
Learn to use array dereferencing and indirect property access to evade signature-based detection.
Explore DOM-based triggers (e.g., onchange) as alternatives to monitored events like onclick.
1. Double-Encoded HTML Entities for WAF Evasion
Payload Snippet:
&%2362;
Step-by-Step Explanation:
Encoding Layers: `&%2362;` is a double-encoded HTML entity:
– First layer: `%23` decodes to “, resulting in &62;.
– Second layer: `&62;` decodes to >, the closing angle bracket.
2. WAF Bypass: Many WAFs decode only once, seeing `>` (harmless) instead of >.
3. Usage: Embed in payloads where angle brackets are filtered (e.g., `
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
