I just uncovered a crazy WAF bypass today.

Case: File Upload (.php blocked)

/?file=xx.php <- Blocked
/?file===xx.php <- Bypassed

The file got uploaded successfully.

I’m kinda still in a dilemma how it worked, but it does open up new possibilities around WAF bypassing. 😄