This tweet describes a complex WAF bypass scenario affecting multiple subdomains (16 in total). The bypass leverages a path normalization desynchronization technique to evade the WAF protections. This allowed the attacker to access an internal swagger-config endpoint without authentication, which exposed a large number of API routes including gRPC and OpenAPI specifications. The attacker also discovered internal certificate authorities and was able to perform write operations in the production environment. In summary, this WAF bypass lets attackers access sensitive internal services and configurations across many subdomains by exploiting path normalization flaws to circumvent WAF security controls. The impact is serious, exposing internal APIs, credentials, and allowing unauthorized modifications to production systems.
For more details, check out the original tweet here: https://twitter.com/stuub_/status/2040013782794027425