This XSS payload can bypass some WAF filters. It uses obfuscated JavaScript code to trigger an alert. The payload sets an accesskey attribute to X and contains a click event that executes JavaScript code to create an alert message. WAFs may have difficulty detecting this bypass due to the obfuscation technique used. Security researchers should be aware of this type of bypass and update WAF rules accordingly.
A payload to bypass some WAF filters by @0x0SojalSec
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">— XSS Payloads (@XssPayloads) October 29, 2024