Cloudflare WAF Bypass (simple but effective)

Foreword

In the field of information security, finding and exploiting various vulnerabilities is the daily work of us security researchers. Through continuous exploration and mining, we can discover and use some unexpected little tricks to bypass existing security protection measures, such as WAF (Web Application Firewall). Today, I want to share with you several interesting techniques I have seen recently, including encoding bypass, Cloudflare WAF bypass, XSS bypass technology, and actual cases of OS command injection.

These techniques are not only the accumulated experience in my daily work, but also the crystallization of wisdom from many peers. Through these examples, I hope to help everyone gain more inspiration and skills when exploring SRC (Bug Bounty Platform). Whether you are a beginner just starting out or an experienced expert, I hope this article will be helpful to you, and let's walk further on the road of information security together.

编码绕过

Encoding Bypass

Example Explanation:
```
: When directly requesting
```
Initial RequestHere, try to bypass through URL parametersf/etc/passwdAccess
file, but the server returned a 403 status code, indicating that access is prohibited. This is because the WAF (Web Application Firewall) detects that this request attempts to access sensitive files, therefore blocking the request.Base64 encoding/etc/passwd: In order to bypass the detection of WAF, we will encode the string
- when the server detects that the request path contains sensitive keywords (such asPerform Base64 encoding.L2V0Yy9wYXNzd2Q=
- The Base64 encoded result is
```
The complete request becomes:
```
url/?f=L2V0Yy9wYXNzd2Q=

This request was successfully returned with a 200 status code, indicating that the server successfully processed the request.

Detailed Explanation403 status code: When directly requestingurl/?f=etc/passwdwhen the server detects that the request path contains sensitive keywords (such asetc/passwd
）WAF rule triggered, returned a 403 status code, indicating that access is prohibited. This is a common defense measure of WAF, used to prevent unauthorized file access.
:
- Base64 Encoding Bypass Technique
- Base64 is a common encoding method that can encode binary data into ASCII strings. Base64 encoding is usually not detected by WAF because WAF mainly detects plaintext sensitive keywords./etc/passwdThe string encoded in Base64 isL2V0Yy9wYXNzd2Q=
- When sending requests with Base64 encoded strings, the WAF does not detect sensitive keywords and therefore does not block the request, returning a 200 status code.

Cloudflare WAF Bypass (simple but effective)

Example 1: Basic Bypass Technique

This example uses some simple but effective techniques to bypass Cloudflare's Web Application Firewall (WAF):

<img href="https://www.freebuf.com/articles/es/x" src="https://www.freebuf.com/articles/es/data:x," oNLy=1 oNErrOR=prompt1>

The main techniques include:

attribute name to confuse: Rename thehrefwritten ashrEF, replacingsrcwritten assRC, and by replacingonerrorwritten asoNErrORThis method can bypass some basic string matching rules of WAF.
data:URI:data:x,This part is usually used to generate an empty image data URI to triggeronerrorevent.
onerrorevent: It will trigger an event when the image fails to loadonerrorEvent, here set to