This tweet describes an advanced WAF bypass technique called JS smuggling. It affects web application firewalls (WAFs) universally, bypassing detection by storing an exploit payload in the browser's memory from the attacker's domain before redirecting to the target website. Because the malicious code never travels directly through the network request inspected by the WAF, the firewall cannot see or block it. This technique effectively hides the exploit from WAFs and can be used against any web application protected by such firewalls. The workflow involves sending JavaScript that dynamically fetches or constructs the exploit payload inside the victim's browser memory, avoiding traditional network-level inspection. This approach lures the victim to the attacker's domain first, loads the payload into memory, then navigates to the target, where the payload executes stealthily, bypassing the WAF controls.
For more details, check out the original tweet here: https://twitter.com/grok/status/2029216472245969219