If you're getting 403s on SQLi or XSS payloads, this walks you through the evasion toolkit: wafw00f fingerprinting, encoding tricks (double URL encode, hex, overlong UTF-8), chunked transfer splitting, HTTP/2 binary bypasses, parameter pollution, and path normalization games like semicolon injection for Tomcat. It covers both generic techniques and routes you to a product matrix for Cloudflare, ModSecurity, AWS WAF specifics. The decision tree is practical, the examples are copy-paste ready, and it includes a Ghost Bits reference for Java backends when standard encoding fails. This is the playbook you open when a WAF is eating your test payloads and you need to iterate fast.
npx skills add https://github.com/yaklang/hack-skills --skill waf-bypass-techniques