This tweet discusses a method to bypass a Web Application Firewall (WAF) while exploiting a Cross-Site Scripting (XSS) vulnerability. The user mentions that direct XSS attempts were blocked by the WAF, so they used manual traffic inspection to find a potentially whitelisted endpoint, specifically an analytics endpoint (/app/analytics/). They then used directory traversal by appending '/../yourpath/' to the whitelisted endpoint URL. If the WAF or server does not properly decode or normalize the URL path, this traversal technique might allow payloads that would normally be blocked to reach the vulnerable endpoint, effectively bypassing the WAF protection. This technique leverages improper URL canonicalization in WAFs or web servers, which can sometimes be overlooked in security rules.
Check out the original tweet here: https://twitter.com/knwldgd1gger/status/2043362963491316128