As we have discussed previously, it can be a challenge to evade detection, and this is on the same lines as other methods, and it will depend on how the administrator has configured the policy. There are excellent references on the Internet you can use to see whether your obfuscation technique will work. The free and open source WAF ModSecurity provides a site where you can test the string to see if it might be detected by a WAF. You will find the site at http://www.modsecurity.org/demo.html.
Once the site has opened, you will see that they have a list of websites that many of the commercial vendors use to demonstrate their tools. An example of this is shown in the following screenshot:
Click on the ModSecurity CRS Evasion Testing Demo link on the page. This will test the string against the Core Rule Set signatures of the ModSecurity tool, and you will find the area to enter a potential obfuscated script to see if it is detected. Not only does it tell...