Bypassing WAFs Using Oversized Requests

TL;DR — This research article demonstrates an "oversized request bypass" evasion: by sending large amounts of extra data in a POST body, many WAFs (depending on default size limits and modes) may stop inspecting the request and allow malicious payloads (e.g., SQL injection) to reach the backend; the author tests common WAFs, documents default behaviors and size thresholds, and provides hardening recommendations for each vendor.