A new WAF bypass technique was discovered by @0xEdra. The bypass involves adding a quoted string right before the onerror event with an entity alias, transforming onerror into x="""onerror". This technique can potentially be used to bypass various Web Application Firewalls. Check out the full write-up at https://t.co/w5iej6Ma5B
One WAF Bypass Payload to Rule 'em All!@0xEdra recently discovered a WAF bypass by adding a quoted string right before the onerror event with an entity alias!
So onerror became x="""onerror!
His write up is definitely worth the read.https://t.co/w5iej6Ma5B pic.twitter.com/h671cgFUfp
— Critical Thinking – Bug Bounty Podcast (@ctbbpodcast) October 26, 2024