The second POC demonstrated the ability to evade both their WAF and XSS_Auditor.
Their development team then verified the ability to execute arbitrary JavaScript from any *.cloudfront.net host.
That's pretty much the whole story.
If you couldn't, it's plausible the non-security developers incorrectly speculated it was possible?
The second POC demonstrated the ability to evade both their WAF and XSS_Auditor.
Their development team then verified the ability to execute arbitrary JavaScript from any *.cloudfront.net host.
That's pretty much the whole story.