From b6d25c758a7f5c72824ca6f3356b7d6c356bc8cd Mon Sep 17 00:00:00 2001
From: Xalgord <48483027+xalgord@users.noreply.github.com>
Date: Sat, 20 Feb 2021 16:26:49 +0530
Subject: [PATCH] Update README.md
---
README.md | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 81dadd5..c81713e 100644
--- a/README.md
+++ b/README.md
@@ -266,22 +266,34 @@ Here’s list of tools [@_justYnot](https://twitter.com/_justYnot) used:
## XSS firewall bypass techniques
Here’s a list of 7 useful techniques on how we can bypass WAF (Web Application Firewall) while exploiting XSS (Cross-Site Scripting) in a web application:
1. Check if the firewall is blocking only lowercase:
-
+```
+
+```
2. Try to break firewall regex with new line (\r\n), aka. CRLF injection:
+```
+```
3. Try double encoding:
+```
%2522
+```
4. Testing for recursive filters, if firewall removes the text in bold, we will have clear payload:
+```
ipt>alert(1);ipt>
+```
5. Injecting anchor tag without whitespaces:
+```
+```
6. Try to bypass whitespaces using a bullet:
+```