This tweet discusses a simple bypass technique for Web Application Firewalls (WAFs) that aim to prevent XSS (Cross-Site Scripting) attacks by blocking the typical <script> tag. The WAF in question blocks the well-known <script> pattern, but the attacker uses alternative HTML elements and event handlers to trigger alerts, bypassing the WAF. The payloads include various HTML tags such as <img> with an onerror event, <svg> with onload, <body> with onresize, and <details> with ontoggle event handlers. These event handlers execute JavaScript code like alert(1) when triggered, thus demonstrating that even when common script patterns are blocked, many other HTML features and events can be exploited for XSS attacks.
For more insights, check out the original tweet here: https://twitter.com/MayasahRami/status/2032968821389045807. And don’t forget to follow @MayasahRami for more exciting updates in the world of cybersecurity.