Red Team — Testing WAF Resilience Against XSS
Modern WAFs effectively filter classic payloads.
👉 But they are not infallible.
In an audit, it is essential to test their resistance against advanced XSS vectors.
An exploited XSS vulnerability can allow:
→ client-side code execution
→ session hijacking
→ user account compromise
⚠️ A WAF should never be considered a sufficient protection on its own.
🔤1. Encoding Variants
👉 Unicode, partial encoding, normalisation.
- Testing Unicode and HTML entity encodings
- Partial encoding to bypass filtering
- Browser-side vs WAF-side normalisation
🏷️2. HTML Tag Manipulation
👉 Alternative unfiltered structures.
- Lesser-known HTML5 tags (details, svg, math)
- Alternative event handler attributes
- Payload fragmentation to bypass detection
⚡3. Dynamic JavaScript
👉 Bypass via dynamic evaluation.
- Dynamic JavaScript string construction
- Use of alternative evaluation functions
- Prototype pollution and JavaScript gadgets
🌐4. DOM-Based Scenarios
👉 Not visible server-side — often ignored by WAFs.
- Injection via URL fragment (#)
- DOM sources: location.hash, document.referrer
- DOM sinks: innerHTML, eval, document.write
💡 Good Pentest Reflex
The injection context is often more important than the payload
Always analyse the injection context before testing payloads:
« Understanding the context is often more decisive than the payload itself. »
- →HTML context → direct injection into the DOM
- →Attribute context → encoding and delimiters to analyse
- →JavaScript context → JS parsing logic to explore
📚 Real Case — Bug Bounty Programme
DOM-based XSS not detected by the WAF
Protection in place
WAF + active server-side filtering
Vulnerability found
Client-side DOM-based XSS
WAF detection
Not detected (server-invisible)
Impact
User session access
🧠 What This Demonstrates
A WAF is a defence layer, not a complete solution
Both server-side AND client-side validation are necessary
Development best practices remain the real protection
🧠 Key Takeaway
A WAF is a defence layer, not a complete solution.
Security relies on:
✔ Server-side validation
✔ Client-side hardening (CSP, output encoding)
✔ Development best practices
Resources: PortSwigger Web Security Academy · OWASP XSS Prevention Cheat Sheet
During your audits, which techniques most often allow you to find XSS vulnerabilities despite a WAF?
Need personalised guidance?
NagaShield Security helps you implement these measures concretely, tailored to your organisation and budget.
Request a free diagnostic