This tweet explains a technique to bypass Web Application Firewall (WAF) filters that block common characters used in cross-site scripting (XSS) attacks, such as <, >, ", and '. The bypass technique takes advantage of Unicode normalization that occurs after the WAF filtering. Many applications normalize Unicode characters after the security layer, which means that even if the WAF blocks the ASCII versions of these characters, their Unicode variants might pass through unchecked.
For example, the following Unicode-encoded characters can be used as bypass payloads:
– < becomes %EF%BC%9C
– > becomes %EF%BC%9E
– " becomes %EF%BC%A2
– ' becomes %EF%BC%87
– ` becomes %EF%BD%80
By using these URL-encoded Unicode variants, attackers can sneak past WAF filters and execute XSS attacks. This technique is useful when a WAF aggressively filters for ASCII characters but does not normalize or decode Unicode before filtering.
In summary, Unicode normalization is a valuable tip for bypassing WAFs protecting against XSS, especially when direct usage of <, >, ", ' or ` characters is blocked.
Check out the original tweet here: https://twitter.com/comores_11/status/2036780213040713883