Increasing HTTP request size can be used as a bypass technique for most WAFs currently in use today. This technique exploits the limitation of WAFs in handling large request sizes, allowing hackers to sneak malicious payloads past the WAF protection. Placing a WAF in front of a vulnerable application may provide a false sense of security if the WAF is not configured to handle such large request sizes effectively. This bypass technique highlights the importance of proper WAF configuration and the need for additional security measures to protect web applications from sophisticated attacks. @assetnote's work sheds light on this critical vulnerability and emphasizes the continuous effort required to enhance WAF protection.
Check out the original tweet here: