This is Md Saikat a Cyber Security Engineer at TechnoNext Ltd. I've completed eJPT, eWPTX, and I spend most of time exploring web applications, breaking things (ethically xD), and learning something new from every of my finding.
So, In this write up, I want to share one of my small hunting story where things look normal at first… but not at all because of Cloudflare :3
TLDR; Before jumping into the story, let's keep it simple.
Reflected XSS (Cross-Site Scripting)¹ is when a website takes user input and reflects it back into the page without proper filtering. If we can inject JavaScript there… it runs in the victim's browser.
Now, services like Cloudflare (WAF) try to protect apps by blocking common payloads like:
<script>alert(1)</script>But the thing is… WAFs mostly look for known bad patterns. And as a hunter, we don't always walk the obvious path 😉
Initial Foothold
After a basic recon, I've found my targeted application has a subdomain. Let's assume it as "xyzportal.redacted.com". Basically this portal was used by them for recruitment procedure.
As there was no on going recruitment. So, while hitting the subdomain it was redirected me to the error message path with an error message.
But the error message was controlled by the msg parameter which took my attention.
Now, I tried with a basic HTMLi² to check if the parameter's value is dynamically showing to the body or not.
I tried with basic HTMLi payload
<i>xss</i>To my surprise, it was executed to the body. No escaping, No filtering :D
At this moment, I thought "Okay… this might go further"
Digging Further
Initially I tried with the basic XSS payload
<script>alert(0)</script>And yeah, the Cloudflare stepped in and blocked me.
As there is Cloudflare. There is a high chance to get XSS with classic payload set.
So, I asked myself "What if I don't use <script> at all?"
I tried with "Iframe" earlier based on this cool write-up by SMHTahsin33. But it seems to much weaponized for a small target.
Later I tried with simple tags such as <img>, <svg> and these were not blacklisted alone but with XSS payload such as onload/onerror handler.
Exploitation
After digging a while and go through some resources. I've found a payload which bypass the Cloudflare and trigger a successful XSS
Payload:
<svg/on on onLoad=alert(0)>You can try with different payload also, Such as:
<svg/one onLoad=alert(0)>
<img src=xx one onLoad=alert(0)>
<img src=xx on on onLoad=alert(0)>
...Why This Worked (Simple Explanation)
Let's break it down in a simple way.
- Cloudflare is trained to block known bad patterns like
<script> - But
<svg>is a valid and common HTML tag - Inside SVG, we can use event handlers like
onloadto run JavaScript - The slightly weird structure (
on on onLoad) helps avoid pattern detection
That's all for now. Thanks for reading ❤️ If this gave you some insight, feel free to share it and help others learn something new too.
Sources: [1]: https://portswigger.net/web-security/cross-site-scripting/reflected [2]: https://www.imperva.com/learn/application-security/html-injection/
Additional: [3]: https://x.com/RodoAssis/status/1450118363070468099