If %00 is not encoded by the application then the it’s really fucking easy to bypass any WAF (cloudflare, akamai, etc) to get XSS, just spam the fuck out of the %00 😂

Follow me for more P1 #bugbountytips