This type of WAF-bypass technique replaces unnecessary spaces within payloads, making it more difficult for the WAF to detect different keywords and/or patterns in the payload.
Payloads such as ; cat /etc/passwd;
, <img src=x onerror=alert(1)>
or ' OR 1=1 --
do not usually need the spaces they contain. In the image below, you can see payloads whose spaces have been replaced by new characters (highlighted in red) that do not alter the payload's structure. This serves as a proof of concept that the spaces are not actually necessary.
Replacing spaces with other characters that align with the payload structure makes it difficult for the WAF to understand various parts of your payload.
In the video below you can watch Brumens' presentation on bypassing WAFs at Nahamcon 2024, where he explains the technique in detail and walks attendees through the related lab linked at the bottom of this page.
Now that you know how to exclude spaces to bypass WAF filter mechanisms, you can test your practical skills in the lab below.