Bypass WAF 403 Forbidden lead to Cross Site Scripting (XSS)

Bypass WAF 403 Forbidden lead to Cross Site Scripting (XSS)

Hello everyone, in this article I will share “How I Bypassed WAF” to chaining a Reflected XSS.

Some times ago, my friend Mamet Nugraha built a website for Instagram, Facebook Video’s and Photo’s downloader, you can check in this website saveas.w3llsquad.or.id. Then I was idle to pentest the website. After a while, I found an interesting endpoint in burp history like this:

https://saveas.w3llsquad.or.id/download.php?url=linktoavideo.website/test.mp4&type=xxx&..

Then I sent the request to repeater and I edited a value of parameter`?url=` then I saw in the response that the Content-Type is text/html.

Look at Content-Type header in the response

So I tried to put an XSS payload, but I got redirected to 403 Forbidden page D:

Then I tried to find a bypass, I was tried some bypass like urlencoding, double urlencoding but it didn't work D: then I looking to google for the reference and found this repository https://github.com/s0md3v/AwesomeXSS. After a while tried the payload from that repository, I have successfully bypassed a WAF using onmouseleave event. The payload looks like this :

“><a href=”#” onmouseleave=alert(99)>Click

WAF Bypassed

Then I show the response in browser and payload was triggered

XSS Popped Up

Then I reported it to my friend and the bug has been fixed. Thanks for reading my article, hopefully can help. Apologize if there any errors in text.

Keep learning and stay safe.

Follow me on twitter :

https://twitter.com/0xrdnzx