If you see a webapp trying to guess your search query (e.g. in search bar) and has a WAF on top of it, use mistyped words to easy trigger XSS and bypass the WAF.
<scrpt>confrm()</scrpt>
The above behavior is often seen in PHP webapps using pspell_suggest().
#bugbountytips https://t.co/CQnu11wycX