Help bypass waf for XSS

[qGodless]

Akamai waf blocks any a-Z characters after <

example: /contact?q=value"><a-Z is blocked by waf but if we add space before a-Z its allowed (value">< a-Z)

But xss doesnt alert when there is a space, i tried special-chars instead of regular characters (a-Z)

Blocked characters ? ! /
Allowed characters: ~ @ # $ % ^ & * ( ) - _ + = { } ] [ | \ ` , . ; : ' " < >
+ numbers


Is there a way to abuse these special chars or numbers to pop the xss?

 

[MrDark]

Unicode <img src=x onerror=\u0061\u006C\u0065\u0072\u0074(1)>
Entities <img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>
Concatation <img src=x onerror=String.fromCharCode(97,108,101,114,116)(1)>

there are multiple ways of bypassing it , the problem in general with WAF is that it doesn't like special characters such as ! # $ %, it considers them injections/attacks.

Try to find out what type of WAF you are dealing with, that way you can read about it and understand it's structure when it comes to XSS.

 

[grozdniyandy]

but if we add space before a-Z its allowed

Instead of trying to add new tag, check if you can input JS code inside the tag you are in.
I saw input tag in screenshot, so if you are inside input tag you can try this:

" onfocus="alert(1)" autofocus="">

 

[qGodless]

Instead of trying to add new tag, check if you can input JS code inside the tag you are in.
I saw input tag in screenshot, so if you are inside input tag you can try this:

" onfocus="alert(1)" autofocus="">

Great thinking, your payload did solve the problem, but it doesnt seem to be doing anything, i tried the payload on brutelogic, also tried confirm() prompt() print(), blind xss, but none work, maybe the waf is stopping me from running js