This tweet demonstrates a Web Application Firewall (WAF) bypass technique using JavaScript concatenation to evade filtering and successfully execute Cross-Site Scripting (XSS) payloads. The original payload "alert(1)//" is blocked by the WAF, resulting in a 403 Forbidden response. However, by splitting and concatenating strings with JavaScript variables and control characters, an attacker can trick the WAF into allowing the payload to pass through leading to a 200 OK response and successful script execution.
In the bypass payload, the attacker uses JavaScript syntax to create the 'prompt' function dynamically by concatenating 'pr' + 'om' stored in a variable 'k'. This obfuscates the keyword from straightforward detection by simple pattern-matching rules in the WAF, hence bypassing it.
This technique highlights the importance of advanced WAF rules that can decode and analyze concatenated strings and variable interpolations in JavaScript to defend against such evasion approaches. Developers and security engineers should consider such bypass methods when designing WAF signatures and handlers for XSS.
Check out the original tweet here: https://twitter.com/Hackitdamn/status/1938890133312545157