This bypass technique targets Cross-Site Scripting (XSS) protections implemented by Web Application Firewalls (WAFs). The key idea is that many web applications perform Unicode normalization after the WAF filtering stage. When characters like < and > are blocked by the WAF, attackers can try to use their Unicode full-width equivalents, such as %EF%BC%9C for < and %EF%BC%9E for >, in URL-encoded form as a way to bypass filters. These full-width Unicode characters look visually similar but have different byte representations, allowing the payload to evade pattern matching by the WAF. This technique is broadly applicable to many WAF vendors since it exploits the common processing order rather than a specific implementation. Using this approach, an attacker can send payloads containing these Unicode variants that might be normalized after filtering to standard ASCII characters, enabling successful XSS injection despite filtering attempts at the WAF layer. This is a valuable trick for bug bounty hunters and penetration testers to keep in mind when encountering WAFs that filter typical XSS vectors but perform normalization after filtering.
For more insights, check out the original tweet here: https://twitter.com/wtf_yodhha/status/2037610834705420683. And don’t forget to follow @wtf_yodhha for more exciting updates in the world of cybersecurity.