{"id":84,"date":"2023-06-21T02:57:00","date_gmt":"2023-06-20T19:57:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=84"},"modified":"2025-10-14T22:50:35","modified_gmt":"2025-10-14T15:50:35","slug":"xss-bypass-cloudfront-waf","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/xss-bypass-cloudfront-waf\/","title":{"rendered":"XSS: Bypass CloudFront WAF"},"content":{"rendered":"\n<p>In this article, we will share how we successfully bypassed the <strong>CloudFront WAF<\/strong> (Web Application Firewall) to exploit a <strong>Cross-Site Scripting (XSS)<\/strong> vulnerability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Payloads:<\/h3>\n\n\n\n<p>To bypass the <strong>CloudFront WAF<\/strong>, we crafted a special XSS payload. The goal was to find a way to inject JavaScript while preventing the WAF from detecting it as malicious. Here is the payload we used:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;object\/data=\"javascript&colon;alert\/**\/(document.domain)\">\/\/&lt;\/object><\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">&lt;<\/span><span style=\"color: #D8DEE9\">object\/data=&quot;javascript:alert\/**\/(document.domain)&quot;<\/span><span style=\"color: #81A1C1\">&gt;<\/span><span style=\"color: #D8DEE9FF\">\/\/<\/span><span style=\"color: #81A1C1\">&lt;\/object&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>This payload is interesting because it uses a combination of an <code>&lt;object&gt;<\/code> tag and a <strong>javascript<\/strong> URI scheme. Notice how the colon (<code>:<\/code>) in <code>javascript:<\/code> is encoded as <code>&amp;colon;<\/code>, which can help bypass basic filtering rules in the WAF. Additionally, the <code>\/**\/<\/code> is used to comment out portions of the string, making it harder for the WAF to detect the attack.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"478\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/n45htcfwaf2-1-1024x478.jpeg\" alt=\"\" class=\"wp-image-87\" style=\"width:634px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/n45htcfwaf2-1-1024x478.jpeg 1024w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/n45htcfwaf2-1-300x140.jpeg 300w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/n45htcfwaf2-1-768x359.jpeg 768w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/n45htcfwaf2-1.jpeg 1366w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>After injecting the payload, we successfully triggered the <strong>XSS<\/strong> attack. The <strong>CloudFront WAF<\/strong> was bypassed, and the alert box displayed the document&#8217;s domain. This confirmed that the vulnerability existed and that the WAF didn\u2019t block our payload.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article, we will share how we successfully bypassed the CloudFront WAF (Web Application Firewall) to exploit a Cross-Site Scripting (XSS) vulnerability. Payloads: To bypass the CloudFront WAF, we crafted a special XSS payload. The goal was to find a way to inject JavaScript while preventing the WAF from detecting it as malicious. Here [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":317,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[9,24,25,8],"class_list":["post-84","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-cross-site-scripting","tag-waf","tag-web-application-firewall","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/84","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=84"}],"version-history":[{"count":9,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/84\/revisions"}],"predecessor-version":[{"id":316,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/84\/revisions\/316"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/317"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}