Bypassed the Amazon CloudFront Logic and got XSS at the National Weather Agency of the U.S.

Prince Roy(RoyzSec)
3 min readApr 11, 2024

Har Har Mahadev🔱. This is Prince roy, a security researcher also known as Royzsec. Back again with another blog about how I was able to bypass the Amazan Cloudfront firewall’s logic and get XSS [cross-site scripting]. Are you guys excited to know how I did it?

So, at first, I collected all the live subdomains of via Subfinder and HTTPX.

subfinder -d all | httpx -mc 200 | tee weather_live.txt

Bearly, I remember finding this XSS in the 9/10th subdomain. I lost that source code; otherwise, I could explain very easily what the logical error was in their CloudFront setting.

That was the domain []. I found the GET base RXSS on this page. When reading the source, they just used a lope where 1–6 PCU pages are showing. When I put :

I found nothing on that page

Then tried to find out the SQL injection, but that didn’t work. Because they are using Amazon CloudFront.

Moreover, I also tried :

Until ?unit=6 was protected by Amazan CloudFront. But whenever I put unit=7, it bypasses the logic and is reflected on the screen.

I was shocked to see that because it was unexpected because it was just a logical error. Then I put in the XSS payload, and guess what?

Boom! Got XSS. It was just a logical error. The developer made the mistake of building logic to retrieve the data from the database. After 4 days they accepted my report as a valid.

Finally, thanks for reading my small blog. If you like this, please share it with your friends and press the clap button for me, which inspires me a lot.

Please follow my social media platforms: