Cloudflare WAF Bypass Leading to Reflected XSS via SVG Injection

This is Md Saikat a Cyber Security enthusiast. I've completed eJPT, eWPTX, and I spend most of time exploring web applications, breaking things (ethically xD), and learning something new from every of my finding.

So, In this write up, I want to share one of my small hunting story where things look normal at first… but not at all because of Cloudflare :3

TLDR; Before jumping into the story, let's keep it simple.

Reflected XSS (Cross-Site Scripting)¹ is when a website takes user input and reflects it back into the page without proper filtering. If we can inject JavaScript there… it runs in the victim's browser.

Now, services like Cloudflare (WAF) try to protect apps by blocking common payloads like:

<script>alert(1)</script>

<script>alert(1)</script>

But the thing is… WAFs mostly look for known bad patterns. And as a hunter, we don't always walk the obvious path 😉

Initial Foothold

After a basic recon, I've found my targeted application has a subdomain. Let's assume it as "xyzportal.redacted.com". Basically this portal was used by them for recruitment procedure.

As there was no on going recruitment. So, while hitting the subdomain it was redirected me to the error message path with an error message.

But the error message was controlled by the msg parameter which took my attention.

Now, I tried with a basic HTMLi² to check if the parameter's value is dynamically showing to the body or not.

I tried with basic HTMLi payload

<i>xss</i>

<i>xss</i>

To my surprise, it was executed to the body. No escaping, No filtering :D

At this moment, I thought "Okay… this might go further"

Digging Further

Initially I tried with the basic XSS payload

<script>alert(0)</script>

<script>alert(0)</script>

And yeah, the Cloudflare stepped in and blocked me.

As there is Cloudflare. There is a high chance to get XSS with classic payload set.

So, I asked myself "What if I don't use