This work exposes systematic WAF bypass vulnerabilities arising from HTTP parsing inconsistencies—particularly divergent header and body parsing behaviors between WAFs and backend servers. We propose RFC-compliant, targeted fuzzing to systematically uncover parsing ambiguities across mainstream content types (JSON, XML, multipart). Our evaluation of five major commercial WAFs—including Cloudflare and AWS—yields 1,207 reproducible bypasses; large-scale internet scanning further reveals parsing incompatibilities in over 90% of websites for `application/x-www-form-urlencoded` and `multipart` requests. To address the root cause, we introduce HTTP-Normalizer, a transparent proxy that enforces standardized request normalization prior to WAF inspection, eliminating parsing discrepancies. The findings have been acknowledged by all affected vendors and led to multiple high-severity CVEs with CVSS scores ≥ 9.0.

Web Application Firewalls (WAFs) have been introduced as essential and popular security gates that inspect incoming HTTP traffic to filter out malicious requests and provide defenses against a diverse array of web-based threats. Evading WAFs can compromise these defenses, potentially harming Internet users. In recent years, parsing discrepancies have plagued many entities in the communication path; however, their potential impact on WAF evasion and request smuggling remains largely unexplored. In this work, we present an innovative approach to bypassing WAFs by uncovering and exploiting parsing discrepancies through advanced fuzzing techniques. By targeting non-malicious components such as headers and segments of the body and using widely used content-types such as application/json, multipart/form-data, and application/xml, we identified and confirmed 1207 bypasses across 5 well-known WAFs, AWS, Azure, Cloud Armor, Cloudflare, and ModSecurity. To validate our findings, we conducted a study in the wild, revealing that more than 90% of websites accepted both form/x-www-form-urlencoded and multipart/form-data interchangeably, highlighting a significant vulnerability and the broad applicability of our bypass techniques. We have reported these vulnerabilities to the affected parties and received acknowledgments from all, as well as bug bounty rewards from some vendors. Further, to mitigate these vulnerabilities, we introduce HTTP-Normalizer, a robust proxy tool designed to rigorously validate HTTP requests against current RFC standards. Our results demonstrate its effectiveness in normalizing or blocking all bypass attempts presented in this work.