A month ago i made an XSS challenge called Sh*t it’s a WAF. The idea of the challenge was to bypass the WAF filters and inject an XSS payload that execute alert(1337) . The challenge was a bit tricky but not hard. So let’s first explain how the WAF was working and how it could be bypassed.