Blog

<h2>Introduction</h2> In web application security, one of the most common misconceptions is that a Web Application Firewall (WAF) can “solve” Cross-Site Scripting (XSS). In practice, a WAF may detect and block many known attack patterns, but it is not a substitute for secure application design, correct output encoding, and context-aware input handling.This post documents a real-world style observation: one XSS attempt was blocked by an upstream protection layer, while a different variation still resulted in script execution. The goal of this write-up is not to provide a bypass recipe, but to explain why this happens, what defenders should learn from it, and how engineering teams should respond.During initial testing, one reflected XSS attempt was stopped by the upstream protection layer.<figure id="figure-fw0ru8h4pgmne1nbzw" class=""><img id="fw0ru8h4pgmne1nbzw" src="https://cdn.durable.co/blocks/6FUoK231vkll40ZuosC4VwFgX0GSxjIuvnDgYtL3ECoe4TTcAxjlsecJdHSC8ghB.png" alt="" title="" class="object-cover bg-gray-100 rounded-sm md:rounded-md lg:rounded-lg" style="aspect-ratio: 16/9; object-position: center center;" data-corners="default" data-aspect="16:9" data-caption="" data-positionx="undefined" data-positiony="undefined" data-fullwidth="false" data-mce-src="https://cdn.durable.co/blocks/6FUoK231vkll40ZuosC4VwFgX0GSxjIuvnDgYtL3ECoe4TTcAxjlsecJdHSC8ghB.png" data-mce-style="aspect-ratio: 16/9; object-position: center center;"></figure>At this stage, the block only showed that one request pattern matched a detection rule. It did not prove that the application handled untrusted input safely. After further testing, a different input variation still resulted in JavaScript execution in the browser. <img id="cb33jgaxsmne1lpw0" src="https://cdn.durable.co/blocks/53gqrOdqJwpUgijOKvBcwAAPnnUbXB9XrFpZuIG22oQMmsNOYwTFQHauD12aiLM7.png" alt="" title="" class="object-cover bg-gray-100 rounded-sm md:rounded-md lg:rounded-lg" data-corners="default" data-aspect="16:9" data-caption="" data-positionx="undefined" data-positiony="undefined" data-fullwidth="false" data-mce-src="https://cdn.durable.co/blocks/53gqrOdqJwpUgijOKvBcwAAPnnUbXB9XrFpZuIG22oQMmsNOYwTFQHauD12aiLM7.png" data-mce-style="aspect-ratio: 16/9; object-position: center center;" style="border-color: rgb(229, 231, 235); --tw-scale-x: 1; --tw-scale-y: 1; --tw-pan-x: ; --tw-pan-y: ; --tw-pinch-zoom: ; --tw-scroll-snap-strictness: proximity; --tw-gradient-from-position: ; --tw-gradient-via-position: ; --tw-gradient-to-position: ; --tw-ordinal: ; --tw-slashed-zero: ; --tw-numeric-figure: ; --tw-numeric-spacing: ; --tw-numeric-fraction: ; --tw-ring-inset: ; --tw-ring-offset-width: 0px; --tw-ring-offset-color: #fff; --tw-ring-color: rgba(62,172,255,.5); --tw-ring-offset-shadow: 0 0 #0000; --tw-ring-shadow: 0 0 #0000; --tw-shadow: 0 0 #0000; --tw-shadow-colored: 0 0 #0000; --tw-blur: ; --tw-brightness: ; --tw-contrast: ; --tw-grayscale: ; --tw-hue-rotate: ; --tw-invert: ; --tw-saturate: ; --tw-sepia: ; --tw-drop-shadow: ; --tw-backdrop-blur: ; --tw-backdrop-brightness: ; --tw-backdrop-contrast: ; --tw-backdrop-grayscale: ; --tw-backdrop-hue-rotate: ; --tw-backdrop-invert: ; --tw-backdrop-opacity: ; --tw-backdrop-saturate: ; --tw-backdrop-sepia: ; --tw-transform: translateX(0) translateY(0) rotate(0) skewX(0) skewY(0) scaleX(1) scaleY(1); --tw-border-opacity: 1; --tw-filter: ; --tw-backdrop-filter: ; --tw-bg-opacity: 1; background-color: rgb(243, 244, 246); width: 640px; margin: 0px; padding-top: 0px; padding-bottom: 0px; caret-color: rgba(0, 0, 0, 0); aspect-ratio: 16 / 9; object-position: center center;">

When a WAF Blocks One XSS Payload but Misses Another: Why Cloud-Based Filtering Is Not a Complete XSS Defense

Veilron

Veilron — Unveil Vulnerabilities Within, Strengthen Your Digital Fortresses

Veilron is a Singapore-based cybersecurity and penetration-testing consultancy, dedicated to uncovering hidden flaws within your digital infrastructure — before adversaries can exploit them. 

Leveraging both rigorous, up-to-date methodologies and creative, expert-driven thinking, our consultants simulate realistic attack scenarios to reveal vulnerabilities across networks, applications, cloud setups, and more. 

What we do
External & internal Network Penetration Testing (NPT), Web, Mobile, API, IoT, and even ATM/CDM Application Security Testing (WAPT, MASA, APISA, IOTSA, ATMSA) , Red Teaming and Adversary Emulation — testing how well your defences hold up against determined attackers. 
Vulnerability Assessments, Secure Configuration Reviews, Secure Code & Host Reviews, Cloud Security & DevSecOps advisory, Risk & Architecture Assessments, System Hardening, and Security Controls Validation (SECv)