Skip to main content

9. What WAF bypass techniques are you familiar with?

Architectural Level

  • Discover the server’s real IP address
  • Bypass via same subnet
  • Bypass by having both HTTP and HTTPS services exposed
  • Exploit vulnerabilities on perimeter assets

Protocol Level

  • Chunked transfer encoding with delays
  • Pipeline-based bypass
  • Exploiting uncovered protocol quirks
  • Alternating between POST and GET submissions

Rule Level

  • Encoding bypass
  • Substitution with equivalent symbols
  • Ordinary and inline comments
  • Buffer overflow
  • MySQL black magic
  • Whitelist and static resource bypass
  • File format bypass
  • Parameter pollution