A bypass has been discovered for Amazon Cloudfront WAF using the %ff%00%ff sequence. This sequence terminates the string and stops the WAF scanning, allowing for malicious code injection. An example payload for XSS is '<img src=x onload=%ff%00%ffLO onerror=alert() onclick=alert() onmouseover=alert()//>'. This bypass technique can be used to execute JavaScript code on the vulnerable website. It is important for WAF administrators to be aware of this vulnerability and take necessary measures to mitigate the risk.
For more insights, check out the original tweet here: https://twitter.com/ruben_v_pina/status/1864115417712562548