Earlier this year my colleague has identified an application which was clearly vulnerable to Cross-Site-Scripting as special characters were not encoded.

However, he quickly learned that the application is behind a WAF as attempts to exploit XSS resulted in HTTP 403 error message.

Image for post

Standard AWS WAF error message

After talking to application owners we learned that in fact application is behind an AWS WAF with Core Rule Set enabled.

Taking into account how many web applications use AWS WAF with CRS, bypassing it seemed quite challenging. However, we decided to spend some extra time attempting to do so.

#security #penetration-testing #cybersecurity #bug-bounty #aws #testing

Bypassing AWS WAF CRS with Cross-Site-Scripting (XSS) Payload
17.55 GEEK