XSS Cloudflare Bypass!

3 min readMar 26, 2021

Hi InfoSec and non-InfoSec Community! This is John Fiel Brosas, a Security Analyst from the Philippines. It’s been a while since I wrote something here in Medium. Anyway, I hope you are all doing well in these trying times. :)

This writeup is about my discovery of an interesting way or payload of XSS (Cross-site scripting) that bypasses WAF Cloudflare protection.

I’ve been testing let’s say redacted.com (for privacy) and was looking for any XSS vulnerabilities on the URIs, inputs, file uploads, etc.

I usually starts with basic XSS payloads

<script>alert(1)</script>

then tried

“><img src=x onerror=alert(1)>
<svg/onload=prompt`1` >
<svg onload=prompt%26%23x000000028;document.domain)>

and unfortunately, nothing works. I tried entering each character of my payload one at a time to see when and what character combinations are prohibited by Cloudflare and so I can form my own payload based on that result. I also tried encoding my payload and nah still didn’t work, though I am aware they are reflecting!

I’ve tried other payloads available on PayloadAllThings and OWASP XSS Filter Evasion, but none of them are working. I felt like giving up on XSS, maybe move on and start checking other bugs instead, since almost all of my payloads were blocked by Cloudflare (which I really hate!)

After a few scratches on my head, I suddenly thought of checking Twitter. As we know, Twitter has been one of the sources of bypasses and techniques, especially in XSS since there are researchers who share their ideas for the community to see.

Then I came across a twit from Shawar Khan @ShawarkOfficial:

As you can see, the tweet was pretty much new so does the payload. :) The description was pretty much what I’ve been experiencing so far. So I gave it a try.

My Final payload: