A WAF bypass has been discovered using obfuscation to sneak an XSS payload past the filter. The WAF initially blocks <script>alert(1)</script> but the attacker obfuscates the payload using entity encoding. The browser decodes the entities, causing the WAF to miss it and allowing the XSS to trigger. This bypass technique can be used against various WAF vendors. #bugbounty #xss
Original tweet: https://twitter.com/NullSecurityX/status/1934277033250697428