4.2.8. WAF Bypass

• Use the <> tag

• Use html attributes

  • href

  • lowsrc

  • bgsound

  • background

  • value

  • action

  • dynsrc

• keywords

  • Split with carriage return

  • String concatenation

    • window["al" + "ert"]

• Bypass by encoding

  • base64

  • jsfuck

  • String.fromCharCode

  • HTML

  • URL

  • hex

    • window["\x61\x6c\x65\x72\x74"]

  • unicode

  • utf7

    • +ADw-script+AD4-alert('XSS')+ADsAPA-/script+AD4-

  • utf16

• uppercase and lowercase confusion

• Transcode tag attribute value

• generate event

• css cross-site parsing

• length limit bypass

  • eval(name)

  • eval(hash)

  • import

  • $.getScript

  • $.get

• .

  • use 。 Bypass IP/Domain Name

  • document['cookie'] Bypass property value

• Filter quotes are bypassed with `` ` ``