Overview : I was testing an application where most of the functionalities were vulnerable to stored XSS, but most of the previous reports had been patched. I came across a functionality to create admin roles, where I injected special characters like <> into the "role_name" parameter of a POST request to analyze the application's behavior. I received the following response:

400 Bad Request 
......

Only words and numbers are allowed. 

Bypass : I intercepted the request and added an additional "role_name" parameter before the original one. I injected the payload into that additional parameter while keeping the value of the original parameter as test, so the POST parameters looked like this:

role_name=<img+src=x+onerror=alert(document.cookie)>&role_name=test

The application successfully accepted both parameters, and a role was created with the name: <img src=x onerror=alert(document.cookie)>,test.

Execution : I visited the "create users" functionality, where I created a user with the role I had just created. After that, when I clicked the edit button associated with that user — BOOM! — the XSS payload was successfully executed, and I was able to bypass the protection via parameter pollution.