New XSS Bypass Method for CloudFlare WAF

New XSS Bypass Method for CloudFlare WAF

As the Security For Everyone team, we also offer pentest service in addition to our product. While doing penetration testing for a private company, we found that the company uses Cloudflare WAF.


Cloudflare is a CDN service that helps improve the user experience in the form of website speed and web application performance. Cloudflare includes analysis, DDOS protection, CDN, DNS, security firewall, optimizer and more all in one package. In short, Cloudflare can be said to achieve faster results and protect web applications from attackers.

How Can You Detect Which Web Application Uses It?

The simplest way to do this is when you add the wappalyzer browser extension to your browser, it tells you which technologies are used.

How We were Able To Bypass CloudFlare WAF?

First of all, there are some tools prepared for this job.

However, mostly these automatic tools will not be a solution for you and you will have to do this manually.

Manual Process:

When we tried some simple XSS payloads in the form fields, we discovered that WAF blocked them. For example, when we sent the following payload to the server, WAF prevented it.

To run a simple XSS payload on the target application we need space characters our payload. However, when we sent %20 characters which are URL encoded forms of space, it was not converted to the space character on the application.

We need to space in JavaScript code that is planned to execute on the application side. So, we sent different characters to test the behavior of the app. We noticed that the / character was replaced with a space character.

Accordingly, we updated the payload again and it's worked. No more Cloudflare WAF blocked message.

Here is the latest payload that bypasses Cloudflare protection and runs on the target application page:

For additional information about the web application penetration service, please visit here.