Technical Support Request - Issue with XSS Attack Detection

What is the domain name?

  • xss.today

Have you searched for an answer?

  • Yes, I have searched for solutions online.

When you tested your domain, what were the results?

  • The XSS payload was not blocked by Cloudflare’s WAF despite being in “Under Attack” mode and having the XSS protection rules enabled.

Describe the issue you are having:

  • I am attempting to test Cloudflare’s XSS protection capabilities in a controlled laboratory setting by submitting a basic XSS payload through my site. Despite Cloudflare’s WAF being active, the payload passes through without being detected or blocked.

What error message or number are you receiving?

  • No error message was received; the payload was executed as if no WAF rules were in place to block XSS attacks.

What steps have you taken to resolve the issue?

  1. Verified that Cloudflare’s WAF is enabled and properly configured for my domain.
  2. Ensured that the “I’m Under Attack” mode is active.
  3. Reviewed Cloudflare’s documentation for any additional configuration steps I might have missed.

Was the site working with SSL prior to adding it to Cloudflare?

  • Yes, the site was fully functional with SSL before integrating with Cloudflare.

What are the steps to reproduce the error:

  1. Navigate to the form submission page on my site.
  2. Submit the following XSS payload: <script>alert('XSS');</script>
  3. Observe that the payload executes without being blocked by Cloudflare.

Have you tried from another browser and/or incognito mode?

  • Yes, I’ve tried multiple browsers, including in incognito mode, with the same results.

Please attach a screenshot of the error: