Summary
The application hosted at:
https://share.doppler.com/ext/jquery/dist/jquery.min.jsis protected by a Cloudflare WAF intended to prevent malicious injection attempts such as XSS payloads.
Initial testing confirmed that basic reflected XSS payloads are blocked by the WAF.
Blocked Payload Example
https://share.doppler.com/ext/jquery/dist/jquery.min.js?c="\"><script>alert('XSS')</script>"The WAF successfully detects and blocks this payload.
1. WAF Bypass Finding
A more obfuscated payload was able to bypass Cloudflare's WAF filtering.
Bypass Payload (URL Encoded)
https://share.doppler.com/ext/jquery/dist/jquery.min.js?c=%22%3E%0D%0A%0D%0A%3Cx%20%27=%22foo%22%3E%3Cx%20foo=%27%3E%3Cimg%20src=x%20onerror=javascript:alert(`cloudfrontbypass`)//%27%3EDecoded Payload
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>"Observations
- The WAF does not block this obfuscated payload.
- Although this payload does not successfully trigger XSS execution in the current context, it bypasses WAF detection rules.
- This indicates insufficient normalization and filtering at the WAF layer.
Risk Assessment
- WAF bypass significantly increases the attack surface.
- If future application changes introduce a reflection context, this bypass could become exploitable.
- Attackers may further refine payloads to achieve successful exploitation.
2. DOM-Based XSS Vulnerability
Vulnerable Component
ce.escapeSelector implementation (likely part of a jQuery-based selector escaping mechanism).
Root Cause Analysis
The vulnerability stems from improper handling of Unicode surrogate pairs.
Technical Breakdown
Surrogate Pairs
- Unicode characters outside the Basic Multilingual Plane (BMP) are represented using surrogate pairs.
- A surrogate pair consists of two 16-bit code units.
charCodeAt()returns only a single 16-bit unit.- As a result, surrogate pairs are not properly escaped when processed character-by-character.
Incomplete Escaping Mechanism
- The escape function processes each code unit individually.
- This results in malformed hexadecimal encoding.
- The combined character is not correctly sanitized.
- This allows injection via malformed selectors.
Proof of Concept (PoC)
'div[id="\\uD83D\\uDC4D;alert(1)//"]'Payload Size
37 bytes
Exploitation Scenario
An attacker can:
- Craft a malicious selector containing surrogate pairs.
- Bypass incomplete escaping logic.
- Manipulate DOM element selection.
- Potentially inject JavaScript into the page context.
Potential Impact
Successful exploitation may allow:
- Execution of arbitrary JavaScript
- Session hijacking
- Credential theft
- Data exfiltration
- Unauthorized actions on behalf of users
This qualifies as a DOM-based Cross-Site Scripting (DOM-XSS) vulnerability.
Severity Assessment
FindingRisk LevelWAF BypassMediumDOM-based XSSHigh
Recommendations
For WAF Hardening
- Enable strict normalization rules in Cloudflare.
- Implement deeper inspection of encoded characters.
- Apply server-side input validation rather than relying solely on WAF.
- Use Content Security Policy (CSP) to reduce XSS impact.
For DOM-XSS Fix
- Replace custom escape logic with a well-tested standard library.
- Avoid manual Unicode escaping using
charCodeAt. - Use
CSS.escape()where supported. - Validate and sanitize selector inputs before usage.
- Implement strict CSP headers (no inline JavaScript).
Conclusion
While the WAF blocks basic XSS attempts, it can be bypassed using obfuscated payloads. Additionally, improper handling of Unicode surrogate pairs in selector escaping introduces a DOM-based XSS vulnerability with potentially severe impact.