This tweet reveals a technique to bypass Web Application Firewalls (WAFs) to exploit Cross-Site Scripting (XSS) vulnerabilities. The bypass works by using double event handlers combined with a newline character (%0a) within the payload. The payload shown is "><img/src=/Onerror%0aOnerror=alert(1)//. The idea is to inject an image tag with an 'Onerror' event handler, followed by a newline, and then another 'Onerror' handler to trigger a JavaScript alert.
WAFs often try to detect and block typical XSS payloads by pattern matching event handlers or typical scripting tags. Using a newline character inside the attribute confuses the WAF filter and bypasses its detection logic. This allows the malicious script to execute, demonstrating an evasion method that security systems must consider and defend against.
While the vendor of the WAF isn't specified, this kind of bypass can be effective against many WAF products that use strict regex or pattern-based filtering without accounting for newline characters or multiple event handlers within a single tag.
Security professionals and bug bounty hunters should test their WAFs with payloads similar to this to ensure robustness against such evasion techniques.
For more insights, check out the original tweet here: https://twitter.com/N45HTOfficial/status/2041899583908016584