Cloudfront WAF can be bypassed for stored XSS using the payload ,. The WAF is blocking alert(), prompt(), confirm(), print(), and the content type is JSON, preventing the addition of double quotes.
For more insights, check out the original tweet here: https://twitter.com/Arourmohamed01/status/1763186868496015828. And don’t forget to follow @Arourmohamed01 for more exciting updates in the world of cybersecurity.