FennixJun 18, 2024

Defeat all #WAFs with this one simple trick!

Cloudflare/AWS/GCP/Azure hate him...

Append to all response bodies:

<script>zzzzzz=alert</script>

Change all xss detection payloads from
alert() to zzzzzz()

Laugh.

*Note: may require additional inclusion of nonce but don't worry everyone uses a CDN these days and their vetting process is terrible, except in cases where they have no vetting and they just straight hot load from github...

#infosec #pentest

Show threadKevin Karhan 
@fennix personally, I think that #WAFs are a scam on-par with 3rd party #Antivirus on #Windows and #Mobile OSes like #Android akd #iOS!
Jun 19, 2024 at 2:27amWeb