WAF绕过之参数污染

PHP internally uses parse_str() to parse parameters so it sees the char "[" & "_" as the same. PHP by default will use the last param as valid. In cases PHP is running on backend but front end validates the param, we can smuggle fake params to php. #BugBounty