🛡️⚔️ WAF Bypass Arsenal

🔬 Original Research by @therceman
⚡ Built by @vgrichina using @BerrryComputer
✅ Shared by @XssPayloads
🐛 Bug Bounty Approved

Full-Width Unicode Symbols Cheatsheet for XSS, CRLF & WAF Bypass 🧙🏻‍♂️

Char
Full-Width Hex
Unicode
URL Encoded
Description
Researcher
<
Less than symbol for XSS tags
@therceman
🔬 Original Research
>
Greater than symbol for XSS tags
@therceman
🔬 Original Research
"
Double quote for attribute injection
@therceman
🔬 Original Research
'
Single quote for SQL/XSS injection
@therceman
🔬 Original Research
(
Opening parenthesis for function calls
@vgrichina
⚡ Technical Implementation
)
Closing parenthesis for function calls
@vgrichina
⚡ Technical Implementation
;
Semicolon for command separation
@xsspayloads
✅ Community Validation
=
Equals sign for assignments
@therceman
🔬 Original Research
&
Ampersand for entity references
@xsspayloads
✅ Community Validation
/
Forward slash for path traversal
@vgrichina
⚡ Technical Implementation
\
Backslash for escape sequences
@vgrichina
⚡ Technical Implementation
|
Pipe for command chaining
@therceman
🔬 Original Research
{
Opening brace for code blocks
@berrycomputer
🚀 Platform Integration
}
Closing brace for code blocks
@berrycomputer
🚀 Platform Integration
[
Opening bracket for arrays
@berrycomputer
🚀 Platform Integration
]
Closing bracket for arrays
@berrycomputer
🚀 Platform Integration