Hi Everyone! If you've ever played a CTF, performed a penetration test, or assessed a Web Application Firewall (WAF), you've likely hit this wall:

You discover a command injection. You craft a clean payload. And then BLOCKED.

The filter catches cat. Or /etc/passwd. Or sometimes just the string whoami.

You know the vulnerability is real. You know the command would execute. Yet something in the middle refuses to cooperate.

That "something" and the gap it exposes, is exactly why I built ExecEvasion.

The Problem: Filters Are Everywhere

Modern applications rarely execute user input without some form of inspection. Common defenses include:

• Blacklist-based filters blocking known commands (cat, curl, wget)
• WAF signature rules matching paths like /etc/passwd
• Naive input validation removing "dangerous" characters
• Keyword detection without full parsing or normalization

These controls stop unsophisticated payloads and automated scanners which is valuable.

You've probably seen this meme and expected another "bug bounty tip" that only works on X and LinkedIn.

But no — this time, I'll explain why it works and how it works in practice.

Before diving in, I'd like to give a shout-out to Somdev for his excellent write-up on ModSecurity WAF bypasses. That article helped me explore and validate several of the techniques discussed here.

The Gap That Changes Everything

Let me break it down with a simple demo. These all achieve the same goal reading /etc/passwd but only the plain one screams "suspicious" to a basic filter:

cat /etc/passwd
c''at /et''c/pa''ss''wd
ca""t /e""tc""/p""as""sw""d
\c\a\t /\e\t\c/\p\a\s\s\w\d
c$@at /e$@tc/p$@as$@sw$@d
c$()at /e$()tc/p$()as$()sw$()d
a=cat;b=/etc/passwd;$a $b

And get much more can be found at ExecEvasion.

From a shell's perspective, all of these resolve to the same execution.

From a filter's perspective, they are completely different strings.

This isn't undefined behavior or exploitation of bugs, it's documented shell behavior:

• Quote concatenation
• Escape processing
• Globbing
• Parameter expansion
• Path resolution

Shells normalize first, execute later. Most filters match first, block later.

That order difference matters. This class of bypass is better described as execution evasion, not mere obfuscation.

Enter ExecEvasion

After manually crafting payloads for years, remembering which tricks work on which platforms I realized the real problem wasn't knowledge.

It was repeatability and accuracy.

So I built ExecEvasion.

ExecEvasion is a command execution evasion toolkit that generates bypass payloads based on how shells actually interpret input.

You provide:

• the command
• the target platform
• optionally, blocked keywords

ExecEvasion produces dozens of execution-equivalent variants, automatically.

Try It Yourself: The Practice Challenge

Fire up the included vulnerable Flask app:

git clone https://github.com/dr34mhacks/ExecEvasion
cd challenge
pip install flask
python app.py

# Hit http://127.0.0.1:5000 and bypass the blacklist to read /tmp/flag.txt.

Would love to see your solution, please share with me at linkedin

Why This Matters

Look, I get the concern: "Isn't this arming bad actors?" But these techniques aren't new they're documented in MITRE, OWASP, and forums worldwide. Attackers already use them; defenders need tools to understand and counter them.

ExecEvasion bridges that gap, helping teams test filters, close holes, and build resilient systems. Offensive know-how fuels better defense — it's how we all level up.

The Documentation Deep Dive

Beyond generation, the docs included the "why": shell vs. filter parsing, technique success rates, ASCII/hex tables, Windows env var tricks, and troubleshooting. Inspired by deep dives like Red Canary's on obfuscated files. Master the mechanics, and you'll adapt when stock payloads fail.

Get Started

ExecEvasion is free, open-source, and zero-install just a browser app. Check it out on GitHub:

• Clone and open index.html.
• Punch in commands and generate. Star it, fork it, contribute, let's make it better together.
• It is also live on https://dr34mhacks.github.io/ExecEvasion/

Final Thoughts

We've all stared down a blocked payload, wondering if there's a smarter way. ExecEvasion is my answer, a toolkit forged from those battles, now shared to empower the community. Whether you're hunting bugs, testing defenses, or just learning, it's here to turn roadblocks into breakthroughs.

Before I sign off, if you're digging this security tool vibe, swing by my GitHub for more goodies. Got JWTauditor to sniff out weak spots in JSON Web Tokens, and XSSnow to craft sneaky XSS payloads that slip past filters. Go on, give 'em a spin!

Remember:

"The best filter bypass is the one the filter author didn't think of."