Bypassing WAF Rules in Cache Deception Attacks

Why Your Cache Deception Payloads Get Blocked and How to Adapt Them

Ibtissam hammadi

~3 min read · October 19, 2025 (Updated: October 19, 2025) · Free: Yes

Introduction:

You find a perfect endpoint. You craft a simple .css payload for a Web Cache Deception WAF attack. You send the request, and... it's blocked.

Sound familiar?

This isn't another basic guide. This is a look at how to adapt when a Web Application Firewall (WAF) is in your way. We'll explore simple ways to evade the security systems designed to stop us.

How the WAF Spots Your Tests

A WAF isn't magic. It follows rules. For Cache Deception Bypass, it looks for clear patterns:

Sensitive Paths + Extensions: A request for /admin/style.css is a huge red flag.
Static Files in Wrong Places: A .js file requested from a /user directory looks suspicious.
Obvious Header Tricks: Headers like X-Forwarded-Host are often monitored.

Understanding this is the first step to Bypassing WAF Rules.

Simple WAF-Bypass Payloads

The goal is to change the request so the WAF sees something safe, but the cache and server see something different. This is the heart of Cache Key Injection.

Obfuscation & Encoding Hide the pattern from the WAF.

Double Encoding:

/admin%252Fprofile.css

The WAF might decode it once and let it pass, while the server decodes it fully.

Parameter Tricks Mix up the query to confuse the logic.

Cache-Busting Parameters:

/user/profile?view=default&resource=style.css

The WAF might check view, but the cache uses the entire URL as the key.

Path Confusion Use special characters to break the WAF's parser.

The Semicolon Trick:

/user/account;/style.css

The WAF sees a path, but the server might interpret style.css as a parameter.

A Real-World Example: From Blocked to Bypass

Let's walk through a quick find.

The Find: A user profile page at /account/settings
The Block: Adding profile.css was stopped by the Cloudflare WAF
The Bypass: Using parameter pollution: /account/settings?theme=dark&file=profile.css
The Result: WAF Bypassed! The cache stored the sensitive settings page as a CSS file

This simple shift from a path-based to a parameter-based approach made all the difference.

A Quick Check for Your Targets

You can test this idea at scale with a simple command. It looks for endpoints and tests a basic semicolon payload.

echo "target.com" | waybackurls | grep -i "account\|profile" | sed 's/$/\/;test.css/' | httpx -silent

A Note for Developers: Building Stronger Defenses

For those building applications, understanding these tricks is key to defense. This isn't just about WAF Cache Poisoning; it's about architecture.

Be Specific: Clearly define which paths can serve static content.
Tune Cache Keys: Configure your CDN to ignore unpredictable query parameters.
Separate Content: Host static files on a completely different subdomain.

Conclusion:

Bypassing WAF Rules is a creative process. It's about understanding how the system works and gently nudging it, rather than forcing your way through.

As defenses evolve, so do the techniques. The key is to continually learn and adapt.

#cybersecurity #bug-bounty #infosec #vulnerability #penetration-testing