Possible Payload:

%E2%9D%B4{7*7}}

Explanation:

When you enter the expression {{7*7}}, the Web Application Firewall detects and blocks it by replacing the left curly brackets with WAF_BLOCKED. To bypass this sanitization, you can use a visually similar character that the WAF does not consider a threat. For example, the medium left curly bracket ornament ❴ looks similar to the left curly bracket { used in server-side templating systems but does not trigger the regex replacement. The application only accepts US-ASCII characters and will utilize best-fit mapping to convert non-ASCII characters into their closest ASCII equivalents. The medium left curly bracket ornament ❴ will be converted to a regular left curly bracket { when processed by the application. This transliteration process between the WAF and the application code interpreter creates an impedance mismatch where the string inspected by the WAF does not match the modified string processed by the application. Replace the first left curly bracket in your expression with the medium left curly bracket ornament and encode the character using UTF-8 encoding. Enter the encoded expression %E2%9D%B4{7*7}} into the input field to bypass the WAF and perform server-side template injection. With this example payload a successful SSTI would result in the integer value “49” in the html input field. Other visual confusables and mathematical expressions can also be used.

WAF Bypass - Unicode Confusables

WAF Bypass - Unicode Confusables

Description

Goal

Important Notice

Hints

Solution