This tweet describes a technique to bypass Web Application Firewalls (WAFs) that are designed to detect and block reflected Cross-Site Scripting (XSS) attacks. The bypass uses a clever encoding trick to obfuscate the JavaScript payload. Specifically, it mentions using 'Eva + 0 = l = eval' and 'a + to + 0 = b = atob'. This means instead of directly writing 'eval' (a JavaScript function that executes code) and 'atob' (a function that decodes base64-encoded strings), the attacker constructs these function names dynamically by concatenating characters or expressions. The 'atob' function is used to decode a base64-encoded XSS script. When executed, this technique decodes the base64 string to reveal a typical XSS payload like alert(origin). By constructing the functions dynamically, the encoded script can evade detection by WAFs that look for specific keywords or patterns indicative of XSS. In summary, this is a smart obfuscation technique that helps an XSS reflected script bypass WAFs by hiding its true nature until the script is actually executed in the browser.
For more details, check out the original tweet here: https://twitter.com/Debug_sec/status/1967567951541997973