This tweet shares tips for bypassing a Web Application Firewall (WAF) that blocks the use of the 'alert' function to prevent Cross-Site Scripting (XSS) attacks. The blocks focus on the keyword 'alert', which is commonly used in XSS payloads to demonstrate code execution. The tweet provides three JavaScript payloads to evade detection by obfuscating the 'alert' function call in different ways:
1. (function(x){this[x+`ert`](1)})`al`: This payload constructs the 'alert' function by passing the string 'al' to a function that adds 'ert' to it, calling 'alert(1)'.
2. window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2): This payload uses dynamic property access and regular expression to piece together the word 'alert' and invoke it as a function from the 'window' object.
3. document['default'+'View'][`\u0061lert`](3): This payload accesses the 'defaultView' property of the 'document' object and uses Unicode escape sequences to spell out 'alert', then calls it.
These methods help evade simple pattern-matching filters that block direct use of 'alert' in XSS payloads, demonstrating ways to bypass naïve WAFs that rely on string matching.
For more insights, check out the original tweet here: https://twitter.com/therceman/status/1938335710806732896