This tweet talks about a new video showcasing a Stored Cross-Site Scripting (Stored XSS) vulnerability along with a Web Application Firewall (WAF) bypass on a real target. The WAF, which uses a blacklist-based approach, reportedly blocked the attack on the surface level, but the crafted XSS payload still got stored and executed successfully. The video provides a full walkthrough demonstrating how the blacklist-based WAF failed to stop the cleverly crafted XSS attack. Blacklist-based WAFs are often vulnerable to evasion techniques because attackers can bypass the filters by using various encoding or obfuscation tricks. This tweet and video emphasize the importance of understanding such bypass techniques and improving WAF defenses beyond simple blacklisting to protect web applications effectively.
Check out the original tweet here: https://twitter.com/NullSecurityX/status/2044105631385153934