This bypass technique relates to how some Web Application Firewalls (WAFs) process HTTP request bodies, specifically POST, PUT, or PATCH requests. Many WAFs have a configuration or inherent limit for how much of the payload they will read or inspect. Beyond a certain number of characters, which varies depending on the WAF vendor or configuration, the WAF may stop analyzing the request body. Attackers can exploit this by appending harmless alphanumeric garbage data to the request payload, effectively pushing their malicious payload beyond the WAF's reading range. As a result, the payload goes unnoticed by the WAF and can be processed by the backend server. This bypass method is universal and can affect many WAF products including AWS WAF, Imperva, Cloudflare, F5, Azure WAF, Google Armor, among others. Security teams should be aware of this limitation and adjust WAF configurations or implement additional security measures to inspect large payloads thoroughly.
For more details, check out the original tweet here: https://twitter.com/the_IDORminator/status/2036528675173159385