Encoding parts of the payload is an extremely useful technique for manipulating a firewall into thinking the payload has been terminated. The technique's success depends on finding an encoding format that the WAF "sees" but that the vulnerable application does not decode.

In the image below we can see an example of using the encoding technique. The payload on the left uses the characters /> to trick the WAF into thinking that the img tag has already ended. The WAF then effectively "sees" the payload on the right. Since the WAF "assumes" that the img tag has been terminated, it also assumes that anything that comes after the img tag is not malicious. This results in us successfully bypassing the WAF.

As expected, this technique is extremely effective because it is very difficult for the WAF to understand which encodings the application does and does not decode unless it is specifically configured for each section, which is rarely the case.

In the video below you can watch Brumens' presentation on bypassing WAFs at Nahamcon 2024, where he explains the technique in detail and walks attendees through the related lab linked at the bottom of this page.

Now that you know how you can use encoding techniques to your advantage and seen some examples, you can test your practical skills in the official lab below.