BIPI
BIPI

WAF Bypass Techniques: Getting Past ModSecurity, Cloudflare, and AWS WAF

Cybersecurity

WAFs stop script kiddies and catch 80 percent of automated scanners. They reliably fail against a prepared attacker who understands how rules are written. A systematic approach to WAF bypass for authorised assessments.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 14, 2025 · 10 min read

#waf-bypass#web-security#pentesting#modsecurity#sqli

A WAF is a regex-and-signature engine running in front of your application. Every rule was written after someone found a bypass for the previous rule. The game is understanding what the current ruleset does not pattern-match. That knowledge is not secret — it is in the public ModSecurity Core Rule Set changelog and the WAF bypass databases maintained by every bug bounty hunter.

Fingerprinting the WAF

Before attempting bypasses, identify what you are dealing with. Send a deliberately malicious payload and examine the block response: HTTP status code (403, 406, 444, 999), response body text, custom headers (CF-RAY for Cloudflare, X-AMZ-RequestId for AWS WAF). Wafw00f automates this fingerprinting. Knowing the vendor allows you to look up known bypass patterns for that specific product.

SQL Injection Bypass Techniques

  • Case variation: SeLeCt — most WAFs normalise, but older rules are case-sensitive.
  • Comment injection: SE/**/LECT, SELECT/*!32302 1*/FROM — inline comments parsed by MySQL but not all WAF parsers.
  • URL encoding: %53%45%4C%45%43%54 — double encoding: %2553%2545%254C.
  • HTTP parameter pollution: ?id=1&id=UNION SELECT — backend concatenates, WAF checks individually.
  • Chunked transfer encoding: send payload split across multiple chunks — some WAFs do not reassemble.
  • JSON operator injection: {"id": {"$gt": 0}} for MongoDB, bypasses SQLi rules entirely.

XSS WAF Bypass

The most reliable XSS bypasses exploit the browser's parser rather than the WAF's regex. Mutation XSS (mXSS) payloads look safe to the WAF but mutate into executable form after the HTML parser processes them. Template literal abuse in modern JavaScript contexts also evades most WAF rules because the backtick character is rarely blocked.

The goal of WAF bypass testing is not to prove the WAF is useless. It is to identify which vulnerability classes the WAF does not reliably block and ensure those classes are also defended in the application layer.

Path Traversal and LFI Bypass

Classic ../../../etc/passwd is blocked by every WAF. Bypass vectors include: URL encoding (..%2F..%2F), double encoding (%252F), unicode normalization (..%c0%af), null byte (%00 before extension), and path segment encoding (....//....//). Java Tomcat historically accepted /..;/ as a path separator. Test each encoding against the specific server technology.

HTTP Protocol-Level Bypasses

WAFs inspect specific HTTP versions and content types. Sending a payload as HTTP/2 when the WAF was tuned for HTTP/1.1 requests sometimes causes inspection to be skipped. Changing Content-Type from application/json to text/json or application/x-www-form-urlencoded while keeping the JSON body passes the body through uninspected by WAFs that only parse declared content types. H2C smuggling can route requests directly to the backend, bypassing the WAF entirely.

62%
of WAF-protected applications have their origin IP discoverable via passive DNS
3 min
average time to fingerprint a WAF vendor using wafw00f and response analysis
0
WAF vendors whose managed rules block all known SQLi bypass variants simultaneously

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.