In this tweet, the user points out an interesting characteristic of JavaScript's handling of big integers. JavaScript allows the use of a 'big int' suffix 'n' after integers, including decimal numbers, octals (prefixed with 0o), hexadecimals (prefixed with 0x), and binaries (prefixed with 0b). This quirky behavior could potentially help bypass flawed WAF (Web Application Firewall) regular expressions (regex) that do not account for this syntax. By appending 'n' to numbers in various formats, attackers might evade detection rules that expect only standard numeric formats. This highlights the importance of WAFs to properly parse and validate JavaScript input payloads, considering all possible syntaxes. Unfortunately, the specific WAF vendor and the exact regex rules are not mentioned, but this technique could universally affect any WAF relying on regex for blocking malicious numeric payloads.
Original tweet: https://twitter.com/garethheyes/status/1946175565045625299