This WAF bypass involves adding a comma inside a string payload to evade detection. The original payload "soloboy");alert(origin);//" is blocked with a 403 response from the WAF. However, by modifying it to "solo,boy");alert(origin);//" the WAF allows the request with a 200 response. This shows that the WAF's filtering mechanism is likely searching for specific patterns and fails when a comma is inserted within keywords or strings, allowing potentially malicious payloads to slip through. The exact WAF vendor and product is unknown, but the bypass technique is universal for bypassing pattern-matching WAFs. This technique could be used in attacks aiming to execute JavaScript code as an alert, signifying a possible Cross-Site Scripting (XSS) attack vector. In summary, adding a comma inside suspicious tokens or payloads can trick some WAFs into allowing requests that would otherwise be blocked, revealing application filtering gaps and the importance of thorough WAF configuration and testing.
For more details, check out the original tweet here: https://twitter.com/alial1shan/status/1956404864700846318