This tweet talks about bypassing a Web Application Firewall (WAF) during an internal penetration test. The vulnerability involved is a potential blind stored Cross-Site Scripting (XSS). Normally, a common payload like <img src=1 onerror=alert()> is blocked by the WAF. However, the author found a way to bypass the WAF by using a modified payload: < h1 > <img src = 1 oNeRroaR=print(1)> </ h1 >. This payload uses unusual spacing and a misspelled event handler attribute 'oNeRroaR' instead of 'onerror', tricking the WAF into allowing the input. It likely relies on the browser's HTML parser being lenient enough to interpret the event handler and execute the payload, even though the WAF blocks the straightforward version. The exact WAF vendor is not mentioned, so the bypass might be applicable to multiple WAFs or a custom one. This type of bypass can help attackers store malicious payloads undetected and later trigger them, leading to XSS exploitation. The author plans to demonstrate this bypass later.
Original tweet: https://twitter.com/TasfiulHedayet/status/2033797520414150870