This post is a checklist for bypassing Web Application Firewalls (WAFs). It includes generic techniques that might help bypass different WAFs. One of the techniques is encoding the payload in Base64 and then embedding it in a URL parameter. For example, the payload '<script>alert('XSS')</script>' is Base64 encoded into 'PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=' and passed in the query string as '/?q=<data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='. This technique can bypass many WAFs that do not decode Base64 inside HTML data URLs.
Another note in the checklist is specific to ASPX platforms, which remove percentage signs (%) not followed by two hexadecimal characters. This might interfere with URL encoding or other encoded payloads, so attackers should be aware when crafting payloads for ASPX applications.
Overall, this checklist is a starting point for testers to remember common techniques for bypassing WAF protections, involving encoding tricks and peculiar behaviors of web platforms.
Check out the original tweet here: https://twitter.com/theXSSrat/status/1937112596533879269