XSS attack allowed by Cloudflare

Hi - we have just conducted a PenTest and the assessor was able to carry out an XSS successfully even though we have WAF enabled with XSS protection enabled.

The assessor was able to submit <img src=a onerror=prompt(IW)> successfully while if I try myself from the interface I get blocked by WAF.

This is an example of payload that managed to escape the WAF filtering

Sorry I had to paste most of the content on pastebin because discourse is enforcing some restrictions on my account

Can you open a ticket and post the number here? @mdemoura will probably take a look at it as well.

1 Like

Hi - Thanks. I’ve submitted ticket #2150054

1 Like

Resolved in ticket