As we have discussed previously, it can be a challenge to evade detection, and this is on these same lines as it will depend on how the administrator has configured the policy. There are excellent references on the Internet you can use to see whether your obfuscation technique will work. The free and open source WAF ModSecurity provides a site where you can test the string to see if it might be detected by a WAF. You will find the site at this location http://www.modsecurity.org/demo.
Once the site has opened, you will see that there is an area to post different strings and see the results. Before you do this, you will also see that they have a list of websites that many of the commercial vendors use to demonstrate their tools. An example of this is shown in the following screenshot:
Click on the ModSecurity CRS Evasion...