SKILL: WAF Bypass Techniques — Evasion Playbook

AI LOAD INSTRUCTION: Covers WAF identification, generic bypass categories (encoding, protocol abuse, HTTP/2, parameter pollution), and a decision tree. For product-specific bypasses (Cloudflare, AWS WAF, ModSecurity, Akamai, etc.), load WAF_PRODUCT_MATRIX.md. Base models often suggest basic encoding but miss protocol-level bypasses and WAF behavioral quirks.

0. RELATED ROUTING

• sqli-sql-injection for payloads to deliver after bypassing WAF
• xss-cross-site-scripting for XSS payloads that need WAF evasion
• request-smuggling when smuggling can route requests around WAF entirely
• http-parameter-pollution HPP is itself a WAF bypass primitive
• csp-bypass-advanced when WAF blocks inline scripts but CSP bypass is available
• ghost-bits-cast-attack Java backends only — when every encoding trick above is blocked, use Ghost Bits: Java's 16-bit char to 8-bit byte narrowing produces 255 Unicode bypass variants per dangerous ASCII byte; re-enables WAF-patched CVEs in Tomcat, Spring, Jetty, Jackson, Fastjson, BCEL, and more

Product-Specific Reference

Load WAF_PRODUCT_MATRIX.md when you need per-product bypass techniques for Cloudflare, AWS WAF, ModSecurity CRS, Akamai, Imperva, F5 BIG-IP, or Sucuri.