Soldier
Essential
- Joined
- 20.10.20
- Messages
- 87
- Reaction score
- 606
- Points
- 83
The problem has been known since at least June 2019, but it still remains uncorrected.
Cloudflare's Web Application Firewall (WAF), used by more than 25 million sites, contains a vulnerability that allows you to bypass the rules and carry out an XSS attack. It is noteworthy that the problem has been known since at least June 2019, but it still remains uncorrected.
Earlier this year, IB expert Jackson Henry, known online as "CVE-JACKSON-1337", demonstrated a method to bypass Cloudflare WAF using the svg HTML tag, usually used as a container for storing SVG graphics. The method involves adding to the tag <svg onl oad=alert ("1")> encoded characters and zeros, which turns it into an exploit to bypass Cloudflare WAF.
For the first time, this bypass method was described by expert Bohdan Korzhynsky in the summer of 2019, in September 2020, the expert reported that Cloudflare rolled back some rules that provide an opportunity to bypass XSS protection.
As explained by representatives of Cloudflare, the company began work on fixing the problem immediately after learning about it. The company plans to eliminate this XSS vector with the next release of its engine, which handles encoding more efficiently. At the moment, the engine is being tested by a group of Cloudflare customers, and the release itself is expected at the beginning of this year.
Cloudflare's Web Application Firewall (WAF), used by more than 25 million sites, contains a vulnerability that allows you to bypass the rules and carry out an XSS attack. It is noteworthy that the problem has been known since at least June 2019, but it still remains uncorrected.
Earlier this year, IB expert Jackson Henry, known online as "CVE-JACKSON-1337", demonstrated a method to bypass Cloudflare WAF using the svg HTML tag, usually used as a container for storing SVG graphics. The method involves adding to the tag <svg onl oad=alert ("1")> encoded characters and zeros, which turns it into an exploit to bypass Cloudflare WAF.
For the first time, this bypass method was described by expert Bohdan Korzhynsky in the summer of 2019, in September 2020, the expert reported that Cloudflare rolled back some rules that provide an opportunity to bypass XSS protection.
As explained by representatives of Cloudflare, the company began work on fixing the problem immediately after learning about it. The company plans to eliminate this XSS vector with the next release of its engine, which handles encoding more efficiently. At the moment, the engine is being tested by a group of Cloudflare customers, and the release itself is expected at the beginning of this year.