The tweet suggests using JavaScript to bypass a WAF by crafting different polyglots according to reflected parameters in the DOM. Tools like xnLinkfinder, ParamSpider, Gxss, Dalfox, and manual testing in Burp Suite are recommended. An XSS payload can be used for bypassing. This technique can be useful when testing web applications for XSS vulnerabilities and bypassing security mechanisms.
"The key is to know JavaScript and to bypass WAF, then you can craft different polyglots according to parameters found which indeed are reflected in DOM"
1. xnLinkfinder, ParamSpider
2. Gxss or manual test for what is reflected
3. Dalfox in background and trying manually in Burp— hackermater (@hackermater11) March 11, 2024