WAF bypass by Nishantbhagat57 – Web application firewalls bypasses collection and testing tools

The tweet describes a successful SQL injection bypass on Oracle WAF with the payload '?param=xyz'. The vulnerability was discovered by finding an endpoint with parameters using dorking. Despite the WAF having multiple restrictions, the bypass was achieved, leading to an SQL error in the response. The researcher was awarded a $4,450 bounty for this finding. For more technical details, visit the HackerOne report. #SQLInjection #WAFBypass #OracleWAF

Yay! I was awarded $4,450 bounty for 5 reports (Jan–Feb) on @HackerOne.

Oracle SQL Injection ($2K) [High] – Found an endpoint with parameters using dorking. Changed ?param=xyz', got an SQL error in response. The WAF had multiple restrictions, making it tough to bypass. 1/n pic.twitter.com/YCM6XQBkUs

— Nishant Bhagat (@Nishantbhagat57) March 12, 2025