A SQL injection bypass technique was discovered by mmffkkdd where the SQLi payload is prefixed with JSON syntax to evade detection by certain WAF rules. This technique can be effective in scenarios where the WAF may not detect the SQL injection due to the JSON formatting. It is important for WAF vendors to update their detection mechanisms to account for such evasion techniques.
Original tweet: https://twitter.com/kakpozvonitru/status/1897327504911638762