back
loading skill details...
WAF bypass methodology and generic evasion techniques. Use when a web application firewall blocks injection payloads (SQLi, XSS, RCE) and you need to craft…
SKILL: WAF Bypass Techniques — Evasion Playbook AI LOAD INSTRUCTION: Covers WAF identification, generic bypass categories (encoding, protocol abuse, HTTP/2, parameter pollution), and a decision tree. For product-specific bypasses (Cloudflare, AWS WAF, ModSecurity, Akamai, etc.), load WAF_PRODUCT_MATRIX.md. Base models often suggest basic encoding but miss protocol-level bypasses and WAF behavioral quirks. 0. RELATED ROUTING sqli-sql-injection for payloads to deliver after bypassing WAF xss-cross-site-scripting for XSS payloads that need WAF evasion request-smuggling when smuggling can route requests around WAF entirely http-parameter-pollution HPP is itself a WAF bypass primitive csp-bypass-advanced when WAF blocks inline scripts but CSP bypass is available ghost-bits-cast-attack Java backends only — when every encoding trick above is blocked, use Ghost Bits: Java's 16-bit char to 8-bit byte narrowing produces 255 Unicode bypass variants per dangerous ASCII byte; re-enables WAF-patched CVEs in Tomcat, Spring, Jetty, Jackson, Fastjson, BCEL, and more Product-Specific Reference Load WAF_PRODUCT_MATRIX.md when you need per-product bypass techniques for Cloudflare, AWS WAF, ModSecurity CRS, Akamai, Imperva, F5 BIG-IP, or Sucuri.
don't have the plugin yet? install it then click "run inline in claude" again.