Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

When React2Shell happened, the Vercel WAF needed to block all of these exploits. To incentivize the discovery of these, they offered a $50K bounty for each unique bypass technique. This led to 156 reports and $1M being given out. This article is the learnings from that.

Seawall is the internal request inspection layer of Vercel's WAF. The goal is to block malicious patterns before it reaches the application. Whenever they got a new way to bypass the WAF from a researcher they A) reproduced, B) created a test case and C) added a new rule. Most reports came within 24 hours but some came in the second 24. After that, lots of very sophisticated techniques were used.

At the compute layer (I presume for hosted React applications by Vercel), they wanted to add a mitigation. Since the exploit relies on accessing constructor directly, the runtime denies access to this during React rendering. This broke the exploit path. Even with a WAF bypass, this runtime check would remove all exploitation.

The article doesn't discuss every single bypass. It does go through two bypasses that come from the authors of the React2Shell exploit though. The first bypass that is discussed is around Unicode parsing. Many bypasses try to confuse the parser by replacing regular characters with the Unicode representation in JSON. By normalizing the JSON, this isn't a problem anymore. However, if you Uncode encode the Unicode multiple times, this protection no longer works. Now, the WAF will decode recursively over and over again.

Most of the exploits were around the prevention of :constructor with a colon. By finding another gadget for property access that used property access and string interpolation, it was possible to use constructor instead. This shows the power of slight deviations in the original exploit.

Why did they do this? To test their infrastructure against real attacks. This could not have been simulated. The bypasses to the WAF are now permanent additions to the Firewall product, making it useful for the future. Overall, a great blog post and a great campaign by Vercel.