WAF Bypass In Depth

About the Speaker

Robert Chen (@notdeghost) is a 17-year-old CTF player with redpwn, bug hunter, software developer, and full-time high school student. He participates in CTFs and various bug bounty programs in his free time.

Philip Papurt (@ginkoid) is a 16-year-old security researcher, CTF player with redpwn, intern at Emvoice, and high school sophomore. After high school, Philip is interested in pursuing a career in cybersecurity.


As WAFs grow in complexity, they become increasingly resilient to attacks. However, although the level of determination required has greatly risen in recent years, WAFs are always bypassable. We will provide practical insight into how WAFs operate and introduce novel bypass techniques that can make it a piece of cake to demonstrate the impact of cross-site scripting (XSS) vulnerabilities when behind WAFs. Reflected XSS is a valid vulnerability regardless of the presence of a WAF.