Embedding payloads in credentials is an effective way to bypass WAF detection. When credentials are included in URLs, they are often ignored by WAFs, creating a blind spot for attackers. By embedding payloads in credentials, attackers can evade WAF restrictions and potentially leak sensitive information. This bypass technique is particularly useful in scenarios where apps insecurely use document.URL or anchor tags. Security researchers should focus on testing payloads in credentials to identify and mitigate these vulnerabilities.
For more details, check out the original tweet here: https://twitter.com/ctbbpodcast/status/1863993931249180801