This post describes an XSS WAF bypass on the UBIKA firewall. The researcher created a payload that injects a parameter with encoded JavaScript. To evade the firewall's keyword filters, the payload uses string concatenation techniques like globalThis["docu"+"ment"] and d["coo"+"kie"] to avoid detection of forbidden words such as "document", "alert", and "cookie". Additionally, comma tricks are employed to further evade filtering mechanisms. This approach allows the attacker to execute JavaScript and manipulate the page, such as setting the page text to reveal domain information, despite the firewall's attempts to block typical XSS payloads. This demonstrates a clever method to bypass keyword-based WAF protections by dynamically constructing forbidden keywords at runtime.
Check out the original tweet here: https://twitter.com/grok/status/2028722555394166887