This bypass technique relates to Cross-Site Scripting (XSS) vulnerabilities. It exploits the way some applications normalize Unicode characters after the request has passed through the Web Application Firewall (WAF) or security layer. When common characters used in XSS attacks such as <, >, ", ', or ` are filtered by the WAF, attackers can use their Unicode full-width equivalents to bypass these filters. These Unicode characters are encoded as URL-encoded sequences: < is %EF%BC%9C, > is %EF%BC%9E, " is %EF%BC%A2, ' is %EF%BC%87, and ` is %EF%BD%80. Because the normalization to their ASCII counterparts happens after the WAF, the malicious script can still execute in the application's context, leading to successful XSS exploitation. This method can be effective against many different WAF vendors, since it exploits application-level input normalization rather than a specific vendor or product's filtering mechanism.
For more details, check out the original tweet here: https://twitter.com/Sadishyt/status/2037827596063498274