Evasive techniques

To be able to trick the API when security controls are in place, such as a WAF that scans requests for common attacks, input validation that restricts the type of input, or a rate limit that restricts how many requests can be sent:

  1. Add string terminators to attacks

  2. Add case switching to attacks

  3. Encode payloads

  4. Combine different evasion techniques

  5. Rinse and repeat

  6. Apply evasive techniques to all attacks