This tweet describes a manual approach to bypass a Web Application Firewall (WAF) to exploit a Cross-Site Scripting (XSS) vulnerability. The user mentions adding a new scope for testing and successfully bypassing the WAF with a payload that triggers a JavaScript alert displaying the document domain. The payload used is a malformed string that includes an SVG tag with an OnLoad event designed to execute JavaScript code: "%22!–%3E%3CSvg%20OnLoad=_=confirm,_(document.domain)>". This indicates the attacker injects a payload that breaks out of existing HTML attributes or tags and then uses an SVG element's OnLoad event to execute the confirmation dialog. The user also references using a tool, probably @xss0r, to scan for vulnerabilities but highlights manual efforts to bypass the WAF were necessary. Finally, the user reports having responsibly disclosed the vulnerability after successful manual bypass. This example highlights the challenge of WAF evasion for XSS attacks, showing that automated tools sometimes need to be supplemented by manual techniques to identify exploitable issues.
For more details, check out the original tweet here: https://twitter.com/foysal1197/status/1955329931514351925