This tweet reveals a complex bypass technique aimed at circumventing Web Application Firewalls (WAFs) that filter XSS (Cross-Site Scripting) payloads in URL contexts. The technique combines several tricks: HTML injection (HTMLi), double encoding, and the embedding of bytes to evade detection. Specifically, the bypass payloads use SVG elements with onload events that trigger JavaScript alerts, but they are obfuscated using percent encoding and newline characters in unusual places, increasing the difficulty for WAFs to recognize malicious activity. For example, the payload JavaScript:"<Svg/OnLoad=alert%25%0A26lpar;1)>" uses percent encoding (%25 is the percent symbol itself, %0A is a newline) and HTML element attributes in a non-traditional way. This multi-layer obfuscation can help bypass many filters. The tweet also mentions a lab URL to experiment with these techniques and references KNOXSS, a prominent XSS tool that contains similar bypass methods. In summary, this bypass highlights how attackers use encoding and obfuscated payloads creatively to evade WAF detection and successfully execute XSS attacks.
Original tweet: https://twitter.com/TESSA_TACTIC/status/1961468154841833806