If you see a web application is trying to guess your search query (e.g. in search bar) and has a WAF on top of it, use mistyped words to easy trigger XSS and bypass the WAF
<scrpt>confrm()</scrpt>
The above behavior is often seen in PHP web applications using pspell_suggest() https://t.co/SIpGAZGLTH