This tweet shares a bug bounty tip about bypassing Web Application Firewalls (WAF) protections against Cross-Site Scripting (XSS) vulnerabilities. The method involves using multi-character HTML entities that include Unicode symbols represented by [?]. For example, &fjlig; translates to 'fj', &nvgt; translates to '>' with an added Unicode symbol, and &nvlt; translates to '<' with an added Unicode symbol. These entities can potentially bypass filters that WAFs use to detect and block malicious XSS payloads because they are encoded in an unusual way that might not be properly normalized or decoded by the WAF. This technique can be useful for security researchers and bug bounty hunters trying to test XSS protection bypasses on web applications. However, the tweet does not specify which WAF vendors or products are affected, nor does it provide exact technical details or payload examples. The concept is about exploiting how WAFs handle entity decoding and Unicode normalization to evade detection of XSS attacks.
Check out the original tweet here: https://twitter.com/therceman/status/1939058045599785298
Subscribe for the latest news: