A guide for bypassing WAFs/IDS.
For viewing an example of the application of these techniques against real-world WAF scenarios, check out the following post:
https://nzt-48.org/breaking-the-most-popular-wafs
Index
- Probing for SQL injection
- Avoid spaces
- Bypass UNION
- Bypass logical operators
- Bypass comment
- Single-line comment bypass
- Comments between function names and parenthesis
- Conditional statements
- Character selection for blind injections
- Bypass = (Equal sign)
- Bypass WHERE
- Bypass LIMIT, WHERE, HAVING
- Bypass WHERE, CASE WHEN, IF, HAVING, =, RLIKE, LIKE, REGEXP
- Bypass SELECT and FROM
- Bypassing table/column/database identifiers
- Bypass quoted strings
- Parser vulnerabilities