PortSwigger “Concealing payloads in URL credentials” talks about concealing XSS payloads in URL credentials. The nice thing is that this makes the payload invisible to WAFs and other server-side XSS filters. You can actually conceal the payloads in other places
In this post, I am describing some payloads which I used to bypass two distinct XSS filter implementations (such as Web Application Firewalls (WAF)) as well as the approach to design them.