The tweet highlights a common misconception about WAF bypass requests. The payload used for the bypass is HTML encoding, which is not effective when the value is properly HTML encoded with no WAF in place. It showcases the importance of understanding the limitations of different bypass techniques and the role of WAF in protecting against XSS attacks. In this scenario, since there is no WAF involved, the XSS exploitation attempts are futile due to the proper encoding of the value. It serves as a reminder to focus on comprehensive security measures beyond just bypass attempts.
It’s amazing how many DMs I get from people asking me to “help bypass the WAF” but they’re actually just trying to get XSS on a value that is properly HTML encoded with no WAF.
— Luke Stephens (hakluke) (@hakluke) May 4, 2024