This bypass technique targets the inspection limits of modern WAFs (Web Application Firewalls). Different WAFs have different limits on how much of the HTTP request body they inspect for malicious content. For instance, AWS WAF with Application Load Balancer (ALB) checks only up to 8KB of the body, F5 XC checks up to 64KB, and Google Cloud Armor checks up to 8KB. Attackers can exploit these limits by filling the request body with irrelevant or junk data, pushing the actual malicious payload beyond the WAF's inspection window. Consequently, the WAF fails to detect the payload, allowing it to bypass the firewall protections. To defend against this, security professionals need to understand the inspection thresholds of their WAF solutions and consider measures to inspect larger payloads or implement additional detection layers. This approach is applicable universally across various types of vulnerabilities, including XSS, SQL injection, Remote Code Execution, etc., as it defeats the initial scanning capability of the WAF rather than targeting a specific vulnerability.
For more details, check out the original tweet here: https://twitter.com/BugBountyCenter/status/2027309294455074855