A XSS WAF Bypass was discovered using the payload <svg/onload=alert/*1337*/(1)> where comments were inserted between JS function and parameters. This bypass affects multiple WAF vendors. The payload can be used to trigger an alert in the browser despite WAF protection. Detailed technical information can be found in this blog post.
For more details, check out the original tweet here: https://twitter.com/therceman/status/1804430893576016052
Subscribe for the latest news: