If you see a webapp trying to guess your search query (e.g. in search bar) and has a WAF on top of it, use mistyped words to easy trigger XSS and bypass the WAF.

<scrpt>confrm()</scrpt>

The above behavior is often seen in PHP webapps using pspell_suggest().

#bugbountytips https://t.co/CQnu11wycX