Reflected XSS — Mod Security Bypass

Muhammad Sarim Raza
2 min readMay 30, 2021

Hello everyone! This is my third writeup regarding my recent finding i.e Reflected XSS (Bypassing Mod Security WAF). I found this vulnerability in my friend’s website https://thecouponspromo.com. The site wasn’t using any filter but relying on a WAF which I successfully bypassed and carried out the attack. I presume that whoever reading this has some knowledge of Javascript and XSS Attacks. So Let’s start!

I was looking at the website just like a normal user. I started using the search bar of the site while using it I thought that what if I enter some script tags in it to see how the website handles it. I came to know that the site wasn’t using any filter and taking user input as it is and reflecting it. I entered a basic XSS payload <script>alert(1)</script> but it got blocked by Mod Security WAF.

Mod Security WAF blocking a basic XSS payload

Mod Security is a web application firewall that monitors incoming traffic for threats including XSS, SQL injections etc but in my opinion it is not very effective because it can be bypassed in many cases. Now only hurdle for me was to bypass this WAF and carry out a successful XSS attack.

So, I did some research for payloads that can bypass it. I came across this payload <svg onload='new Function`[“_Y000!_”].find(al\u0065rt)`'> I used it and guess what!

Mod Security WAF Bypassed

The payload worked and the attack was successful. This is my friend’s website so I told him and he got it fixed by his developer.

I also recorded a video POC for this incase you want to see you can see it here:

https://www.youtube.com/watch?v=NxDjfM4Ny9Y

For better understanding of XSS attacks and their exploitation I would like you to go through following:

Thank you for reading!

--

--