What is the domain name?
Have you searched for an answer?
- Yes, I have searched for solutions online.
When you tested your domain, what were the results?
- The XSS payload was not blocked by Cloudflare’s WAF despite being in “Under Attack” mode and having the XSS protection rules enabled.
Describe the issue you are having:
- I am attempting to test Cloudflare’s XSS protection capabilities in a controlled laboratory setting by submitting a basic XSS payload through my site. Despite Cloudflare’s WAF being active, the payload passes through without being detected or blocked.
What error message or number are you receiving?
- No error message was received; the payload was executed as if no WAF rules were in place to block XSS attacks.
What steps have you taken to resolve the issue?
- Verified that Cloudflare’s WAF is enabled and properly configured for my domain.
- Ensured that the “I’m Under Attack” mode is active.
- Reviewed Cloudflare’s documentation for any additional configuration steps I might have missed.
Was the site working with SSL prior to adding it to Cloudflare?
- Yes, the site was fully functional with SSL before integrating with Cloudflare.
What are the steps to reproduce the error:
- Navigate to the form submission page on my site.
- Submit the following XSS payload:
- Observe that the payload executes without being blocked by Cloudflare.
Have you tried from another browser and/or incognito mode?
- Yes, I’ve tried multiple browsers, including in incognito mode, with the same results.
Please attach a screenshot of the error: