A vulnerability in the JSON processing of the backend system allows an attacker to bypass the WAF using unicode obfuscation. By injecting a malicious payload into the PUT request at /api/user/profile, the attacker can trigger a stored XSS attack on /dashboard/profile. This bypass technique exploits the trust placed on JSON fields by the backend system, even though client-side sanitization is in place. The WAF evasion technique showcases the importance of thorough input validation and security measures to prevent such attacks.
Inject `{"profile":{"name":"<svg onload=alert(1)>"},"email":"[email protected]"}` into PUT `/api/user/profile` where client-side sanitizes but backend trusts JSON fields. Bypass WAF using unicode obfuscation and trigger stored XSS on `/dashboard/profile`. #bugbounty #hacking
— Parth Patel (@TheDarkSideOps) April 5, 2025