Bypass WAF 403 Forbidden lead to Cross Site Scripting (XSS)

Radian ID
2 min readMay 5, 2021

--

Hello everyone, in this article I will share “How I Bypassed WAF” to chaining a Relfected XSS.

Some time ago, my friend Mamet Nugraha built a website for Instagram, Facebook Video’s and Photo’s downloader, you can check in this website saveas.w3llsquad.or.id. Then I was idle to pentest the website. After a while, I found an interesting endpoint in burp history like this:

https://saveas.w3llsquad.or.id/download.php?url=http://linktoavideo.website/test.mp4&type=xxx&format=mp4&title=xxx

Then I sent the request to repeater and I edited a value of parameter`?url=` then I saw in the response that the Content-Type is text/html.

Look at Content-Type header in the response

So I tried to put an XSS payload, but I got redirected to 403 Forbidden page :(

Got redirected after put a payload

Then I tried to find a bypass, I was tried some bypass like urlencoding, double urlencoding but it doesn’t work :( then I looking to google for the reference and found this repository https://github.com/s0md3v/AwesomeXSS. After a while tried the payload from that repository, I have successfully bypassed a WAF using onmouseleave event. The payload look like this :

“><a href=”#” onmouseleave=alert(99)>Click

WAF Bypassed

Then I show the response in browser and payload was triggered

XSS Popped Up

Then I reported to my friend and bug has been fixed.

Thanks for reading my write up, hopefully can help. Apologize if there are errors in writing.

Keep learning and stay safe!

--

--

Radian ID
Radian ID

Responses (4)