A new XSS WAF bypass technique has been discovered using invisible separators before or after the function name. The payload <img/src/onerror=alert(1337)><svg/onload= alert(2)> can be used to exploit this vulnerability. Ethical hackers can use this technique to bypass XSS WAF protections. For more technical details, refer to the tweet.
Ethical Hacking Reminder
Bypass XSS WAF protection using invisible separators before or after function name
<img/src/onerror=alert(1337)>
<svg/onload= alert(2)> pic.twitter.com/I2cF15Idjr— Anton (@therceman) May 29, 2025