Attackers are using advanced WAF bypass techniques that can affect many types of vulnerabilities, such as XSS, SQLi, RCE, and more. One method involves prepending 128KB of junk data to payloads to push them past the content inspection limits of WAFs. This means the WAF does not fully inspect the entire payload because it exceeds its set limits. Another technique is user agent randomization, where attackers change the user agent strings to avoid detection patterns built around common or expected user agents. Additionally, attackers use signature evasion methods that exploit the fact that detection rules by WAF vendors might not be designed to handle all evasion tactics. This allows malicious payloads to bypass detection and reach the target servers. It's important for defenders to understand that these bypass methods are already in use and that relying solely on traditional signature-based detection and standard content inspection limits is not enough. Continuous updates, behavior-based detection, and more sophisticated inspection techniques are required to effectively defend against these attacks.
Original tweet: https://twitter.com/rocklambros/status/1999147284630831330