This WAF bypass technique is specific to targets using the fetch API. If the web application firewall (WAF) target relies on fetch for requests, this bypass can be effective. However, for targets not using fetch, this particular technique will not work, and a different bypass method must be employed. This distinction is important for security testers and penetration testers to note, as the context of the application's request method impacts the effectiveness of bypass strategies. Always verify the application environment to choose the appropriate bypass technique.
For more insights, check out the original tweet here: https://twitter.com/xssdoctor/status/1963323904975613972