A WAF bypass by confusing the Adobe Experience Manager Dispatcher (load balancer/waf/etc). Not a crazy idea but I don’t think we’ve covered any WAF bypass quite like this on the podcast before. The goal was to access /bin/querybuilder.json (I’m not sure if the .json was part of the endpoint or part of the confusing the Dispatcher) which would lead to access to the host filesystem. This was done by fuzzing the endpoint with various allowed features and parameters until the Dispatcher send the query through. Resuling in a final path along the lines of /bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1