This blog post discusses a recently discovered bypass vulnerability in a Python-based Web Application Firewall (WAF). The vulnerability arises from inconsistent input normalization methods used by different detection layers within the same WAF codebase. Specifically, the SSRF (Server-Side Request Forgery) detection component normalizes the input URL-encoding before performing match checks, ensuring encoded attacks are caught. However, the path traversal detection component does not perform this normalization step, leading to a discrepancy in how inputs are handled. This inconsistency creates a security gap that attackers can exploit by sending URL-encoded payloads that bypass the path traversal detector while still being recognized by the SSRF detector. The key lesson from this finding is the importance of maintaining consistent detection strategies across all WAF modules to prevent attackers from exploiting differences between security layers. Developers and security engineers are advised to regularly compare and test their detection components against each other to ensure uniform behavior and robust protection.