The tweet suggests analyzing all inputs for potential injection points by injecting a random canary and then locating where each canary is reflected. Special characters with different types of encoding, such as URL, double URL, and Unicode, are tested to bypass the WAF. This method aims to identify vulnerabilities in the application’s input validation and filtering mechanisms for potential injection attacks.
Check out the original tweet here: