You’re testing a web application and finally find an endpoint that is reflecting HTML code. You drop your XSS payload and BOOM! All your hopes and dreams vanish before your eyes as that damn WAF appears out of nowhere, only to laugh at you. In this blog post I’m going to be detailing how I successfully bypassed an XSS filter to achieve a very interesting reflected XSS vulnerability in an obvious endpoint which had clearly been tested by hundreds of security researchers before me. This vulnerability just so happens to be the very same one that my 2nd challenge over on My Challenge Site.